SSL/TLS Certificate Setup Issue

I have been trying to get a public certificate to work on a App server which belongs to a local Windows domain. I tested the DNS and it routes me to the correct server.

At first the server name under Server manager was the local Windows server name to which I linked the public certificate. e.g. Windows server name is: computername.domain-name.local and public cert is: epicor.public-domain.com. With this configuration I cannot connect to the app server in the Admin Console. I get the following error: Could not establish trust relationship for the SSL/TLS secure channel with authority…

I then changed the server name in the Admin Console to be the same as the public certificate subject name however I receive the same error.

Next I updated the URL for the app server to the public domain but when I apply this in Properties of the app server it prompts me for a domain login:
image

This window does not accept credentials for the on-premise server though.

What do I need to do to get the public certificate to work with my on-premise app server?

What version?

And is it a wildcard cert?

Also, are you only getting this in the admin console or do you also get it on the client?

Can you share your IIS Configuration?
Its Anonymous Authentication is enabled and Certificate is binded in IIS.

image

1 Like

Not sure you can get a Public cert to work. (.local) domains were depreciated in 2011 and phased out of certificates in 2015. If possible I would do a domain rebuild using the now accepted format of “internal.yourdomain.com” vs your current “yourdomain.local.com”. Here are some articles that may give you away forward.

https://www.digicert.com/kb/advisories/internal-names.htm

https://www.globalsign.com/en/blog/certificates-for-internal-servers

1 Like

@utaylor it is version 11.1.200.6

@utaylor No it is not a wildcard certificate.

Seems to be only in the Admin Console. The client says the server is offline. In IIS I can see it running though.

@fakhruddin

Here are the configurations:
image

image

What is the endpoint URL for your app server, does it use that same host name address that you have in your 443 binding?

Hello its everyones favorite Server Admin (Am I right @josecgomez and @jgiese.wci or am I right)

Anywho… The part about .local being depreciated is effectively correct but rebuilding your domain is insane.

The fix is fairly straightforward. ON the Epicor server you should have been prompted to setup a self signed cert for computername.domain-name.local during setup or adding of the server to admin console. I cant remember exactly where it happens. Anyway. Pop open IIS Admin and go to the default site. Open the Bindings configuration. We are going to add a second HTTPS binding (first image) as you see below. One one of them you will add the epicor.public-domain.com certificate. (Second Image) and on the other one you will add the self signed .local certificate and select the Require SNI check box. (Third image)

RemoteDesktopManager64_2022-07-27_07-49-57

RemoteDesktopManager64_2022-07-27_07-49-33

RemoteDesktopManager64_2022-07-27_07-49-08

Once this is configured Admin console should connect just find using the computername.domain-name.local certificate and end points will work properly using the public epicor.public-domain.com certificate… Make sure you add your endpoint and cert to the deployment

Let me know if you have issues. This all worked for me.

6 Likes

You are my favorite and my least favorite at the same time since you are the only one of “those people” I speak to. shudder :rofl:

1 Like

Earl I never thought to add another binding!

I had solved it by changing the endpoint URL on the properties tab for my app pool in the admin console and then adding a CNAME entry in DNS.

BUT wouldn’t adding the second binding as you show above make it so that I don’t need to add a CNAME entry in DNS?

I am very out of touch with networking and IIS if you can’t tell.

Just make sure in web config file, MultipleSiteBindings is enabled.

image

1 Like

It depends overall on how your DNS is setup. If you are full split DNS internally (meaning you host both .local and .com on your internal DNS) then you would just use an A record for the .com to the server IP.

Thank you Fakhruddin, I didn’t know you would need that.

@EarlGrei do you have that set? The multiple bindings?

Okay, so still an entry needed.

I do not.

I should note that this is all stuff I did to get Kinetic 2022.1.7 working. I imagine it will apply directly out to any version where the admin console is requiring a machine name cert and the endpoints will need a different one (basically where admin console cannot use net.tcp)

1 Like

Yes you still need a DNS entry for both the .local AND the .com resolution. I can get all networky and explain a few scenarios where you would not need to but thats probably beyond the scope of this discussion.

Thank you! this helped.

Awesome. So rarely I get to contribute around here because everyone is asking direct Epicor stuff that is beyond me not Net and server Admin stuff. so YAY!!!

2 Likes