Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Failed to configure SSL certificates in ArcGIS Server. Importing CA certificate failed. #272

Closed
thk70 opened this issue Mar 22, 2021 · 3 comments
Closed

Failed to configure SSL certificates in ArcGIS Server. Importing CA certificate failed. #272

thk70 opened this issue Mar 22, 2021 · 3 comments
Assignees
@cameronkroeker
Labels
bug fixed

Comments

@thk70
Copy link

thk70 commented Mar 22, 2021

The error in subject is bound to happen if the the certificate is already installed. But if you are unregistering and reregistering a server in a site (eg. for maintenance purposes) this should just skip it or have the option to force overwrite it.
In addition to this. running the server_node recipe to reregister or rejoin the site, it will try to import the certificate 11 times before fatal failing the hole procedure.

I can manually remove the certificate before running the server_node, but please provide an option to skip this step if its already installed or an option to force overwrite the existing certificate (alias).

Thanks,
@thk70
Copy link
Author

thk70 commented Mar 22, 2021

Should probably mention that we are using Esri cookbooks version 3.6.1, Chef Client 14.14.29, and ArcGIS Enterprise 10.7

@cameronkroeker
Copy link
Contributor

Hi @thk70,

When the cookbook checks to see if the ssl certificate exists, it looks for "entryType":"PrivateKeyEntry" in the response from ArcGIS Server:

arcgis-cookbook/cookbooks/arcgis-enterprise/libraries/server_admin_client.rb

Line 267 in ae704a0

def ssl_certificate_exist?(machine_name, cert_alias, entry_type = 'PrivateKeyEntry')

However, it appears that ArcGIS Server 10.7 and 10.7.1 do not include a "entryType":"PrivateKeyEntry" in the response, but 10.8 and 10.8.1 does.

10.7/10.7.1 response is missing "entryType":"PrivateKeyEntry":

DEBUG: Request: POST https://machine.domain.com:6443/arcgis/admin/machines/machine.domain.com/sslcertificates/machine.domain.com

DEBUG: Response: 200 {"aliasName":"machine.domain.com","issuer":"CN=domain Issuing CA, DC=domain, DC=com","subject":"CN=*.domain.com","subjectAlternativeNames":["DNSName: *.domain.com"],"validFrom":"Thu Mar 04 11:33:25 PST 2021","validUntil":"Sat Mar 04 11:33:25 PST 2023","keyAlgorithm":"RSA","keySize":2048,"serialNumber":"4f000038dd5677db65798833470000000038dd","version":3,"signatureAlgorithm":"SHA256withRSA","keyUsage":["Digital_Signature","Key_Encipherment"],"md5Fingerprint":"444ed35efc8ba2796f375f9fa6f9b216","sha1Fingerprint":"bf9286a4c54630e20469ac4ddbda4c510ca938c3","sha256Fingerprint":"12210799e6e735b5a4d25df7114cc5b651b5ea4afe716992c5ac9f69fc5c04a4"}

DEBUG: Request: POST https://machine.domain.com:6443/arcgis/admin/machines/machine.domain.com/sslcertificates/importExistingServerCertificate
DEBUG: Response: 200 {"status":"error","messages":["Importing CA certificate failed. "],"code":500}
ERROR: Failed to configure SSL certificates in ArcGIS Server. Importing CA certificate failed.

10.8/10.8.1 response that includes "entryType":"PrivateKeyEntry", in this case importing certificate is skipped:

DEBUG: Request: POST https://machine.domain.com:6443/arcgis/admin/machines/machine.domain.com/sslcertificates/machine.domain.com

DEBUG: Response: 200 {"aliasName":"machine.domain.com","entryType":"PrivateKeyEntry","issuer":"CN=domain Issuing CA, DC=domain, DC=com","subject":"CN=*.domain.com","subjectAlternativeNames":["DNSName: *.domain.com"],"validFrom":"Thu Mar 04 11:33:25 PST 2021","validUntil":"Sat Mar 04 11:33:25 PST 2023","keyAlgorithm":"RSA","keySize":2048,"serialNumber":"4f000038dd5677db65798833470000000038dd","version":3,"signatureAlgorithm":"SHA256withRSA","keyUsage":["Digital_Signature","Key_Encipherment"],"md5Fingerprint":"444ed35efc8ba2796f375f9fa6f9b216","sha1Fingerprint":"bf9286a4c54630e20469ac4ddbda4c510ca938c3","sha256Fingerprint":"12210799e6e735b5a4d25df7114cc5b651b5ea4afe716992c5ac9f69fc5c04a4"}

We will fix this in the next release of the cookbooks, however in the mean time feel free to use the following workaround:

Replace line 281 in cookbooks/arcgis-enterprise/libraries/server_admin_client.rb:

arcgis-cookbook/cookbooks/arcgis-enterprise/libraries/server_admin_client.rb

Line 281 in ae704a0

JSON.parse(response.body)['entryType'] == entry_type

with:

JSON.parse(response.body)['entryType'].nil? || JSON.parse(response.body)['entryType'] ==entry_type

Thanks,
Cameron K.

@cameronkroeker cameronkroeker self-assigned this Apr 1, 2021
@cameronkroeker
Copy link
Contributor

@thk70

We have implented a fix for this in the latest release, v370!

https://github.com/Esri/arcgis-cookbook/releases/tag/v3.7.0

Thanks,
Cameron K.

# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@cameronkroeker cameronkroeker

Labels
bug fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thk70 @cameronkroeker