Community

ArcGIS DataStore - updatesslcertificate utility don't work to replace SSL

1892
4
07-24-2020 06:11 PM
RenatoTeixeira1
by
New Contributor III
‎07-24-2020 06:11 PM

Deploying Enterprise 10.7.1, I want to replace self-sign ssl from Datastore with my own CA Certificate, when I run updatesslcertificate in with power shell ow cmd(as admin) with a command:

.\updatesslcertificate.bat my.domain.com.pfx "mypassword" "myalias"

or 

updatesslcertificate.bat my.domain.com.pfx "mypassword" "myalias"

output return a error:

Error encountered: The data store may not have been initialized.

adicional info:

I'm using this help:

Replace ArcGIS Data Store SSL certificate—ArcGIS Data Store (Windows) Installation Guide | Documenta... 

when I open https://localhost:2443/arcgis/datastore/ , open page ok to create a datastore, and I'm trying to replace this SSL before create a DataStore.

I'm running command inside installation directory: C:\Programs and Files\ArcGIS\DataStore\Tools

Windows Server 2016 on azure

Enterprise 10.7.1

ArcGIS Datatore windows service running

ArcGIS installation directory: C:\Programs and Files\ArcGIS\DataStore\

tx advance

enterprise 10.7.1‌ datastore commands‌ datatore‌ ssl‌ 

0 Kudos
4 Replies
JeffDeWeese
by Esri Contributor
Esri Contributor
‎07-28-2020 02:06 PM

Hello. Several us on the Architecture & Security team have looked at this and believe this may be a mis-configuration of some sort and the recommendation is to contact Esri Technical Support for further guidance.

ChristopherPawlyszyn
by Esri Contributor
Esri Contributor
‎08-07-2020 08:18 AM

Hi RENATO TEIXEIRA,

Have you tried importing the certificate following the configuration of the ArcGIS Data Store with the associated Server site? We have a defect in the works regarding the logic of the updatesslcertificate tool, but that is the established workaround for the time-being. Hope that helps! Otherwise as Jeff suggested a support case may be helpful to pursue some additional troubleshooting angles.


-- Chris Pawlyszyn
0 Kudos
RenatoTeixeira1
by
New Contributor III
‎08-07-2020 11:49 AM

I found out that the tool only works after I have joined ArcGIS Server, so I decided to give up on this certificate and use Self-Signed, and my certificate is a wildcard issued by globalsign and ArcGIS is not making it secure even by installing root on the server. I really can't understand why, since the same certificate is used on the webserver for the webadaptor and it works.

tx

0 Kudos
ChristopherPawlyszyn
by Esri Contributor
Esri Contributor
‎08-13-2020 07:14 AM

The certificate would have to include either a CN or SAN entry that would cover the URL you're using to access the Data Store URL. Typically when we run into issues with customers using their Web Adaptor SSL certificate on all endpoints for ArcGIS Enterprise's internal web servers, the Web Adaptor certificate covers the public-facing URLs or DNS aliases without including the internal machine FQDNs. We have logged a documentation defect internally to fix the misinformation on the Data Store configuration page in terms of importing the certificate prior to the initial configuration.


-- Chris Pawlyszyn
0 Kudos