We have two different servers. One of them is https://www.domain.gov and everything is working fine. Another server has the subdomain “gis”, so https://gis.domain.gov and is also working. They are both proxied. I downloaded an origin certificate and installed it on the subdomain machine, and then went through the IIS steps to get it to work. I’m wondering if there may be additional steps that I don’t know about.
The problem we have is when we try to login to ESRI ArcGIS Portal 11. When we try to login to https://gis.domain.gov/portal. the login just spins until the page eventually times out. Then, if we truncate the parameters of the url and load the page, it works and the user is logged in. Testing with localhost, it appears to work properly, and ESRI has advised us to check with Cloudflare. Our network support company advised us to try turning off the proxy, but then we cannot load the page, and we get a " Your connection is not private" , NET::ERR_CERT_AUTHORITY_INVALID. I think this may be because I downloaded an origin certificate and it’s not the right kind of certificate to be able to use if the DNS is not proxied for that subdomain A record. And that’s just to be able to determine if the proxy is actually the problem with the ArcGIS Portal login.
Can anybody provide any guidance to me about whether I need to get a different SSL, configure something different in IIS, and adjust a configuration in the Cloudflare interface? We’re caught at a point between ESRI and Cloudflare and ESRI is asking to check before they do any more troubleshooting.
Then when I truncate the url to https://gis.domain.gov/portal/home/ and hit enter, the page loads and the user is logged in. I should have been more clear. When we use the dns name (proxied and using origin certificate), this what happens. If we use localhost, it works without the unresponsiveness and needing to truncate the url. I’m not aware of what the problem actually is, whether it’s potentially the proxy, SSL, or something else. The next step of our troubleshooting is to be able to turn of the proxy for that subdomain.
For the second question, I downloaded an origin certificate and used IIS to install it. We are on the Pro Plan. I did not try uploading a Custom certificate for our Origin. If I read that “Custom certificates” link correctly, it sounds like we can just buy and install our own SSL. Does Cloudflare offer an SSL that we can buy?
We are having the exact same issue!!! In short, the web adaptor has an imported origin cert into IIS. Everything is routing to dpnls.com correctly. However, when trying to navigate to to the full ArcGIS portal (dpnls.com/portal/home/index.html) we have the same problems. Disabling proxy of the A record does allow the site to work without encryption but this is not wanted, of course.
I am not sure what i need to configure as well. After reading some documentation from ESRI it seems that the web adapter and ArcGIS server communication over SSL, port 7443/6443, to relay data from the data store to the web server.
In short, I believe that the mix up is that the origin cert is working as intended but we need an EDGE cert to be working all the servers
Create self signed cert
Request CA to sign cert
3)Configure ArcGIS server to use cert
Configure each machine in deployment
Configure HTTPS on ArcGIS Web Adaptor
Test
Im assuming your deploying a multi machine system. So i apologize if this doesn’t help. It just seems that we are experiencing the exact issue. Have you found any answers and does my analysis seem correct?
Do not use the proxy or origin cert. Instead generate a different cert. In our case we used win-acme to generate a cert with lets encrypt. We have lost the best features of cloudflare and security but now the ESRI server works. I would like to see if cloudflare has any input on this.
Thanks for the guidance. I was hopeful that we’d still be able to use the proxy by switching to an Edge certificate like you mentioned in your earlier reply, but probably the most simple approach is just to get an SSL on our own and install it, and turn off the proxy. This is the only aspect of the ESRI ArcGIS Server 11 install that was not working, and I wonder if ESRI may update it so things work in a future release. If Cloudflare has any ideas we can try to still be able to use the proxy for the subdomain I would like to know what they are as well. Our environment has an internal server for ArcGIS Server and an external server for the Web Adaptor.
Your response is very helpful. I think we’ll try our own SSL, remove the origin SSL and turn off the proxy. We will also be missing out on the security of Cloudflare, but maybe between ESRI and Cloudflare, one of the companies will make an update that will allow the proxy to be turned on in the future.