Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to configure SSL certificates in ArcGIS Server. Importing CA certificate failed. #272

Closed
thk70 opened this issue Mar 22, 2021 · 3 comments
Closed

Failed to configure SSL certificates in ArcGIS Server. Importing CA certificate failed. #272

thk70 opened this issue Mar 22, 2021 · 3 comments
Assignees
@cameronkroeker
Labels
bug fixed

Comments

@thk70
Copy link

thk70 commented Mar 22, 2021

The error in subject is bound to happen if the the certificate is already installed. But if you are unregistering and reregistering a server in a site (eg. for maintenance purposes) this should just skip it or have the option to force overwrite it.
In addition to this. running the server_node recipe to reregister or rejoin the site, it will try to import the certificate 11 times before fatal failing the hole procedure.

I can manually remove the certificate before running the server_node, but please provide an option to skip this step if its already installed or an option to force overwrite the existing certificate (alias).

Thanks,
@thk70
Copy link
Author

thk70 commented Mar 22, 2021

Should probably mention that we are using Esri cookbooks version 3.6.1, Chef Client 14.14.29, and ArcGIS Enterprise 10.7

@cameronkroeker
Copy link
Contributor

Hi @thk70,

When the cookbook checks to see if the ssl certificate exists, it looks for "entryType":"PrivateKeyEntry" in the response from ArcGIS Server:

arcgis-cookbook/cookbooks/arcgis-enterprise/libraries/server_admin_client.rb

Line 267 in ae704a0

def ssl_certificate_exist?(machine_name, cert_alias, entry_type = 'PrivateKeyEntry')

However, it appears that ArcGIS Server 10.7 and 10.7.1 do not include a "entryType":"PrivateKeyEntry" in the response, but 10.8 and 10.8.1 does.

10.7/10.7.1 response is missing "entryType":"PrivateKeyEntry":

DEBUG: Request: POST https://machine.domain.com:6443/arcgis/admin/machines/machine.domain.com/sslcertificates/machine.domain.com

DEBUG: Response: 200 {"aliasName":"machine.domain.com","issuer":"CN=domain Issuing CA, DC=domain, DC=com","subject":"CN=*.domain.com","subjectAlternativeNames":["DNSName: *.domain.com"],"validFrom":"Thu Mar 04 11:33:25 PST 2021","validUntil":"Sat Mar 04 11:33:25 PST 2023","keyAlgorithm":"RSA","keySize":2048,"serialNumber":"4f000038dd5677db65798833470000000038dd","version":3,"signatureAlgorithm":"SHA256withRSA","keyUsage":["Digital_Signature","Key_Encipherment"],"md5Fingerprint":"444ed35efc8ba2796f375f9fa6f9b216","sha1Fingerprint":"bf9286a4c54630e20469ac4ddbda4c510ca938c3","sha256Fingerprint":"12210799e6e735b5a4d25df7114cc5b651b5ea4afe716992c5ac9f69fc5c04a4"}

DEBUG: Request: POST https://machine.domain.com:6443/arcgis/admin/machines/machine.domain.com/sslcertificates/importExistingServerCertificate
DEBUG: Response: 200 {"status":"error","messages":["Importing CA certificate failed. "],"code":500}
ERROR: Failed to configure SSL certificates in ArcGIS Server. Importing CA certificate failed.

10.8/10.8.1 response that includes "entryType":"PrivateKeyEntry", in this case importing certificate is skipped:

DEBUG: Request: POST https://machine.domain.com:6443/arcgis/admin/machines/machine.domain.com/sslcertificates/machine.domain.com

DEBUG: Response: 200 {"aliasName":"machine.domain.com","entryType":"PrivateKeyEntry","issuer":"CN=domain Issuing CA, DC=domain, DC=com","subject":"CN=*.domain.com","subjectAlternativeNames":["DNSName: *.domain.com"],"validFrom":"Thu Mar 04 11:33:25 PST 2021","validUntil":"Sat Mar 04 11:33:25 PST 2023","keyAlgorithm":"RSA","keySize":2048,"serialNumber":"4f000038dd5677db65798833470000000038dd","version":3,"signatureAlgorithm":"SHA256withRSA","keyUsage":["Digital_Signature","Key_Encipherment"],"md5Fingerprint":"444ed35efc8ba2796f375f9fa6f9b216","sha1Fingerprint":"bf9286a4c54630e20469ac4ddbda4c510ca938c3","sha256Fingerprint":"12210799e6e735b5a4d25df7114cc5b651b5ea4afe716992c5ac9f69fc5c04a4"}

We will fix this in the next release of the cookbooks, however in the mean time feel free to use the following workaround:

Replace line 281 in cookbooks/arcgis-enterprise/libraries/server_admin_client.rb:

arcgis-cookbook/cookbooks/arcgis-enterprise/libraries/server_admin_client.rb

Line 281 in ae704a0

JSON.parse(response.body)['entryType'] == entry_type

with:

JSON.parse(response.body)['entryType'].nil? || JSON.parse(response.body)['entryType'] ==entry_type

Thanks,
Cameron K.

@cameronkroeker cameronkroeker self-assigned this Apr 1, 2021
@cameronkroeker
Copy link
Contributor

@thk70

We have implented a fix for this in the latest release, v370!

https://github.com/Esri/arcgis-cookbook/releases/tag/v3.7.0

Thanks,
Cameron K.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cameronkroeker cameronkroeker

Labels
bug fixed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@thk70 @cameronkroeker