I have been trying to get a public certificate to work on a App server which belongs to a local Windows domain. I tested the DNS and it routes me to the correct server.
At first the server name under Server manager was the local Windows server name to which I linked the public certificate. e.g. Windows server name is: computername.domain-name.local and public cert is: epicor.public-domain.com. With this configuration I cannot connect to the app server in the Admin Console. I get the following error: Could not establish trust relationship for the SSL/TLS secure channel with authority…
I then changed the server name in the Admin Console to be the same as the public certificate subject name however I receive the same error.
Next I updated the URL for the app server to the public domain but when I apply this in Properties of the app server it prompts me for a domain login:
This window does not accept credentials for the on-premise server though.
What do I need to do to get the public certificate to work with my on-premise app server?
Not sure you can get a Public cert to work. (.local) domains were depreciated in 2011 and phased out of certificates in 2015. If possible I would do a domain rebuild using the now accepted format of “internal.yourdomain.com” vs your current “yourdomain.local.com”. Here are some articles that may give you away forward.
Hello its everyones favorite Server Admin (Am I right @josecgomez and @jgiese.wci or am I right)
Anywho… The part about .local being depreciated is effectively correct but rebuilding your domain is insane.
The fix is fairly straightforward. ON the Epicor server you should have been prompted to setup a self signed cert for computername.domain-name.local during setup or adding of the server to admin console. I cant remember exactly where it happens. Anyway. Pop open IIS Admin and go to the default site. Open the Bindings configuration. We are going to add a second HTTPS binding (first image) as you see below. One one of them you will add the epicor.public-domain.com certificate. (Second Image) and on the other one you will add the self signed .local certificate and select the Require SNI check box. (Third image)
Once this is configured Admin console should connect just find using the computername.domain-name.local certificate and end points will work properly using the public epicor.public-domain.com certificate… Make sure you add your endpoint and cert to the deployment
It depends overall on how your DNS is setup. If you are full split DNS internally (meaning you host both .local and .com on your internal DNS) then you would just use an A record for the .com to the server IP.
I should note that this is all stuff I did to get Kinetic 2022.1.7 working. I imagine it will apply directly out to any version where the admin console is requiring a machine name cert and the endpoints will need a different one (basically where admin console cannot use net.tcp)
Yes you still need a DNS entry for both the .local AND the .com resolution. I can get all networky and explain a few scenarios where you would not need to but thats probably beyond the scope of this discussion.
Awesome. So rarely I get to contribute around here because everyone is asking direct Epicor stuff that is beyond me not Net and server Admin stuff. so YAY!!!
