Closed thk70 closed 3 years ago
Should probably mention that we are using Esri cookbooks version 3.6.1, Chef Client 14.14.29, and ArcGIS Enterprise 10.7
Hi @thk70,
When the cookbook checks to see if the ssl certificate exists, it looks for "entryType":"PrivateKeyEntry"
in the response from ArcGIS Server:
However, it appears that ArcGIS Server 10.7 and 10.7.1 do not include a "entryType":"PrivateKeyEntry"
in the response, but 10.8 and 10.8.1 does.
10.7/10.7.1 response is missing "entryType":"PrivateKeyEntry"
:
DEBUG: Request: POST https://machine.domain.com:6443/arcgis/admin/machines/machine.domain.com/sslcertificates/machine.domain.com
DEBUG: Response: 200 {"aliasName":"machine.domain.com","issuer":"CN=domain Issuing CA, DC=domain, DC=com","subject":"CN=*.domain.com","subjectAlternativeNames":["DNSName: *.domain.com"],"validFrom":"Thu Mar 04 11:33:25 PST 2021","validUntil":"Sat Mar 04 11:33:25 PST 2023","keyAlgorithm":"RSA","keySize":2048,"serialNumber":"4f000038dd5677db65798833470000000038dd","version":3,"signatureAlgorithm":"SHA256withRSA","keyUsage":["Digital_Signature","Key_Encipherment"],"md5Fingerprint":"444ed35efc8ba2796f375f9fa6f9b216","sha1Fingerprint":"bf9286a4c54630e20469ac4ddbda4c510ca938c3","sha256Fingerprint":"12210799e6e735b5a4d25df7114cc5b651b5ea4afe716992c5ac9f69fc5c04a4"}
DEBUG: Request: POST https://machine.domain.com:6443/arcgis/admin/machines/machine.domain.com/sslcertificates/importExistingServerCertificate
DEBUG: Response: 200 {"status":"error","messages":["Importing CA certificate failed. "],"code":500}
ERROR: Failed to configure SSL certificates in ArcGIS Server. Importing CA certificate failed.
10.8/10.8.1 response that includes "entryType":"PrivateKeyEntry"
, in this case importing certificate is skipped:
DEBUG: Request: POST https://machine.domain.com:6443/arcgis/admin/machines/machine.domain.com/sslcertificates/machine.domain.com
DEBUG: Response: 200 {"aliasName":"machine.domain.com","entryType":"PrivateKeyEntry","issuer":"CN=domain Issuing CA, DC=domain, DC=com","subject":"CN=*.domain.com","subjectAlternativeNames":["DNSName: *.domain.com"],"validFrom":"Thu Mar 04 11:33:25 PST 2021","validUntil":"Sat Mar 04 11:33:25 PST 2023","keyAlgorithm":"RSA","keySize":2048,"serialNumber":"4f000038dd5677db65798833470000000038dd","version":3,"signatureAlgorithm":"SHA256withRSA","keyUsage":["Digital_Signature","Key_Encipherment"],"md5Fingerprint":"444ed35efc8ba2796f375f9fa6f9b216","sha1Fingerprint":"bf9286a4c54630e20469ac4ddbda4c510ca938c3","sha256Fingerprint":"12210799e6e735b5a4d25df7114cc5b651b5ea4afe716992c5ac9f69fc5c04a4"}
We will fix this in the next release of the cookbooks, however in the mean time feel free to use the following workaround:
Replace line 281 in cookbooks/arcgis-enterprise/libraries/server_admin_client.rb: https://github.com/Esri/arcgis-cookbook/blob/ae704a00cef52d34057569e36214f8669d539266/cookbooks/arcgis-enterprise/libraries/server_admin_client.rb#L281
with:
JSON.parse(response.body)['entryType'].nil? || JSON.parse(response.body)['entryType'] ==entry_type
Thanks, Cameron K.
@thk70
We have implented a fix for this in the latest release, v370!
https://github.com/Esri/arcgis-cookbook/releases/tag/v3.7.0
Thanks, Cameron K.
The error in subject is bound to happen if the the certificate is already installed. But if you are unregistering and reregistering a server in a site (eg. for maintenance purposes) this should just skip it or have the option to force overwrite it. In addition to this. running the server_node recipe to reregister or rejoin the site, it will try to import the certificate 11 times before fatal failing the hole procedure.
I can manually remove the certificate before running the server_node, but please provide an option to skip this step if its already installed or an option to force overwrite the existing certificate (alias).
Thanks,