Layer access HTTPS only error

998
4
04-26-2019 11:40 AM
MollyFoley
Regular Contributor

TLDR; will getting our SSL certificate signed by a CA fix this problem? Our server security protocol has HTTP and HTTPS enforced.

I'm getting this error when trying to load a feature service from our AGS into a arcgis online map:

Unable to establish a secure connection to the layer. The layer, [layername], cannot be added to the map.

First, I'm a real beginner when it comes to AGS and http/https protocols. My knowledge is very limited, so bear with me. I am using AGS 10.6. I have been looking at this documentation:

https://enterprise.arcgis.com/en/server/latest/administer/windows/secure-arcgis-server-communication...

When I am on a machine that is not the server machine, I can login to our administrator but only using HTTP access (e.g. http://gisserver.domain.com:6080/arcgis/admin). I cannot access admin through HTTPS unless I am on the server machine. Our web adaptor is set up to not allow administrative access, so I know I cannot access AGS manager or admin through the web adaptor URL. When I try to reach our rest services through the web adaptor, I am able to use an HTTPS URL no problem.

Anyway, once in server admin, I go to security > config like it says and the protocol is set to allow HTTP and HTTPS access. SSL protocols include TLSv1.2 and the older ones. Now, I hop over to machines > [machine name] and it says our admin URL is https://gisserver.domain.com:6443/arcgis/admin. I check that our GIS server has the correct SSL certificate is assigned, which it is and it does not expire until 2028. We created this certificate last year and I assume it is self-signed, so it's not "trusted." When I go to sign into manager on the server machine I get the warning that the site is not secure. Considering our certificate has not been signed by a CA - if we get it signed by a CA, will this allow us to access our feature services on ArcGIS online? I need to get this to work so we can start using our server services in AGOL for use in Collector.

Tags (1)
0 Kudos
4 Replies
MollyFoley
Regular Contributor

While the jury is still out on whether this fixed the problem or not, I did finally realize that I was publishing my service from Desktop using a server administrator connection over port 6080 instead of over port 6443. So I was connecting to my GIS Server using a URL like this when publishing services:

http://gisserver.domain.com:6080/arcgis/admin 

instead of this:

https://gisserver.domain.com:6443/arcgis/admin

When I started publishing services with the HTTPS server administrator connection, the "unable to establish a secure connection" error went away. I started getting a new error stating the layer cannot be added to the map (the layer doesn't load in the web map), but I'm hoping this is because we're using a self-signed certificate and we might just need to have it signed by a certificate authority to fix the issue. Hopefully...

0 Kudos
MalindaFord
New Contributor

Hi Molly, 

Did you ever fix your issues?  I am having a similar problem.  I am publishing services using port 6443.  But my feature services will not load in ArcGIS Collector app.  They load in a web map through AGOL even off of the network.  Map services seem to work fine.  It is something to do with our SSL certificate, which has been signed by GoDaddy.

0 Kudos
MollyFoley
Regular Contributor

Is GoDaddy a Certificate Authority? I believe when I got it signed by a CA it fixed our problem. We had to edit the machine web server certificate to the CA signed one and it was good to go. If you aren't sure how to do that, you need to go to this URL (filled in with your own gisserver.domain info): https://gisserver.domain.com:6443/arcgis/admin. After logging in there with that same credentials you'd use on ArcGIS Server Manager page, then you should click on machines > machine you want to change the cert for > sslcertificates > make sure the signed certificate is seen here, otherwise click generate or import existing depending on your situation > go back to the specific machine's screen > edit > put the name of the certificate in the web server certificate area > save edits.

Hope that works for you.

0 Kudos
MollyFoley
Regular Contributor

I just remembered there was something else I had to do too (and maybe this is what fixed it and not the CA cert part) - when I publishing services, I noticed that on ArcGIS Online in my published feature layer settings, my Data Source URL was pointing to https://<my gisserver>.<my domain>.com:6443/arcgis/rest/services (or something very similar to that, I can't remember exactly). I think once I changed that to my web adaptor URL (https://www.domain.org/myGISServer/rest/services/...), it started being able to pull the layer in. Remember that if your services are secured too and you want to be able to see them without logging into your web map with credentials everytime, you'll want to save your credentials with the map as well so you can access your services.

0 Kudos