Closed pfoppe closed 1 year ago
For reference... If a .cer file is specified, the PSDSC configure will generate a new self-signed certificate with the specified alias and assign that to the IIS 443 bindings:
[IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Setting up SSL Binding with self signed certificate [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Creating Binding on Port 443 for https [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Finished Creating Binding on Port 443 for https [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Installing Self-Signed Certificate for DnsName www.example.com [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Creating New-SelfSignedCertificate for DNS:- www.example.com [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Creating using New-SelfSignedCertificate [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Finished Creating using New-SelfSignedCertificate [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Removing existing certificate at IIS:\SslBindings\0.0.0.0!443 [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Installing Certificate with thumbprint
and subject CN=www.example.com into IIS Binding for Port 443 [IIS_MACHINE]: [[ArcGIS_IIS_TLS]WebAdaptorCertificateInstallIIS_MACHINE] Finished Installing Certificate
All PSDSC messaging and logs indicate that the Install, License, and Configure for a base deployment is successful - IIS + (2) Web-adaptors, Portal, Server, Datastore.
We then go in and manually upload the .cer and re-assign the binding the the trusted certificate file so that clients do not receive an SSL cert error.
Thanks.
Perhaps also/even support configurations to refer certificates directly from cloud keyvaults? The option exists in ArcGIS CB but seems not to work. Saving the artifacts gives error
and deployment fails to error
Deployment Error:- Could not find a part of the path 'C:\Users\xxxxxxx\AppData\Local\Temp\ea2fa619752a4b1394856006d064691b\AGBaseproperties.json'
as the folder doesn't exists. If I change the template to read the SSL from file - no problem. So the issue must be how keyvault are handled. Deployment user is the owner of the keyvault.
Hello @pfoppe,
With v4.0.1, there is a new attribute, ConfigData.WebAdaptor.OverrideHTTPSBinding. Set this to false, so that the existing ssl certificate in the IIS 443 binding will not be replaced. When SslCertificates.Target is set to WebAdaptor
this will allow you to specify a .cer file for SslCertificates.Path.
Thanks, Cameron K.
Our agency Certificate Authority currently provides .cer SSL certificates without a password. Unfortunately it seems that the arcgis powershell module has multiple checks for an SSL certificate password and if the password is not set then the module generates a self-signed certificate. We then have to fix the IIS SSL Certificate after the InstallLicenceConfigure.
Thanks for the consideration.