Closed pfoppe closed 2 years ago
Hi @pfoppe,
This is a limitation with the current module. Importing just intermediate/root certificates without importing a webserver certificate is not yet supported. In order to properly trigger the upload of the SslRootOrIntermediate certificates you will need to specify a path to a pfx file, that will be imported into ArcGIS Server. If there isn't a domain/ca signed certificate, you can use a self-signed.
Here is an example json:
"SslCertificates": [
{
"Path": "\\\\<fileserver>.<DOMAIN>\\share$\\Certificates\\<SERVERMACHINE>.<DOMAIN>.pfx",
"CNameFQDN": "servermachine.domain.com",
"Password": "<REDACTED>",
"Target": [
"Server"
],
"SslRootOrIntermediate": [
{
"Alias": "<ALIAS>",
"Path": "\\\\<fileserver>.<DOMAIN>\\share$\\Certificates\\<filename>.cer"
}
]
}
]
I definitely agree though that importing SslRootOrIntermediate certificates without having to import a full webserver certificate is a valid and common use case , and will mark this as an Enhancement request that we can look to add in a future release.
Thanks, Cameron K.
Thanks for the pointer. We generally do not touch the ArcGIS Server certificate and leave the self-signed in place. Its been on our list (low priority) to fix that everywhere... this may be the spark for that.
At any rate, we were able to get it uploaded with the following -
{
"NodeName": "servermachine",
"Role": [
"Server",
"SQLServerClient"
],
"SslCertificates": [
{
"Path": "\\\\fileserver\\share$\\Certificates\\cert_file.pfx",
"Password": "REDACTED",
"CNameFQDN": "cert_alias",
"Target": ["Server"],
"SslRootOrIntermediate": [
{
"Alias": "ROOT_ALIAS",
"Path": "\\\\fileserver\\share$\\Certificates\\ca_root_cert_file.cer"
}
]
}
]
}
Hi @cameronkroeker,
As a follow-up, we added the JSON block above to add a "machine" certificate to the server (to listen on over port 6443), AND we added the SSL Root or Intermediate block. In this scenario this was an existing server and we were doing an upgrade from 1081 to 1091. Unfortunately this block of JSON was ignored... it did NOT add either certificate to the server.
We believe we have success when adding a new server the first time (doing an install) but it seems that this block of code is ignored on an upgrade.
So at this point, I think there are 2 enhancements to consider -
Thanks for the consideration!
Hi @pfoppe,
We have addressed the first item in v4.0.0. SslRootOrIntermediate certificates can now be imported without specifying a machine certificate. For item #2 please submit that as a separate enhancement request.
https://github.com/Esri/arcgis-powershell-dsc/releases/tag/v4.0.0
Example:
{
"NodeName": "portalmachine",
"Role": [
"Portal"
],
"SslCertificates": [
{
"Target": [
"Portal"
],
"SslRootOrIntermediate": [
{
"Alias": "ROOT_ALIAS",
"Path": "\\\\fileserver\\share$\\Certificates\\ca_root_cert_file.cer"
}
]
}
]
}
Thanks, Cameron K.
Thank you @cameronkroeker and Esri PSDSC team!
I have added a new issue for the second problem - https://github.com/Esri/arcgis-powershell-dsc/issues/409
Community Note
Module Version
Affected Resource(s)
Configuration Files
Expected Behavior
The.cer should have been added to the https://SERVERMACHINE:6443/arcgis/admin/machines/SERVERMACHINE.DOMAIN/sslcertificates location
Actual Behavior
Certificate was not added
Steps to Reproduce
Nothing further to add
Important Factoids
We have attempted many iterations of this without success. With the above JSON file, we observed the following in the ArcGISServer--Verbose.txt file:
With the key thing being that the request to add the cert is missing the machine name in the API call.
Furthermore, We've attempted moving this around to the "global" configData section and it just gets ignored. We also normally have the server node with a SQL Server client and when that happens, it seems the SslRootOrIntermediate is ignored -
At this point, no matter what we have tried, we cannot get the SslRootOrIntermediate to take...
Ideally we could set the role of the node to both "Server" and "SQLServerClient" and get the SslRootOrIntermediate to take. Either in the global ConfigData or within the node configuration itself.
Thanks.
References