search cancel

Error "Package server could not access own Web Site using HTTPS" on Package Servers with Windows Server 2012

book

Article ID: 163901

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Symantec Management Agent (SMA) logs several messages referring to "Package server could not access own Web Site using HTTPS".

NOTE: As far as functionality goes, the packages are accessible in the package server itself as well when requested by the client machines. For example the following URL returned the expected resources and showing the packages are available via HTTPS request:

https:///Altiris/PS/Share/pkggroup_%7B562664ad-792e-4b54-bce4-50a35096d58c%7D/%7B6D417916-467C-46A7-A870-6D86D9345B61%7D/cache

 

"Package server could not access own Web Site using HTTPS"

Environment

Windows 2012 site servers

Cause

IIS is trying to validate the root certificates and unable to find those in the certificate store.

In short, Starting Windows 2012, while attempting certificate chain validation of non self-signed certificates, IIS now searches in the "Client Authentication Issuers" store.

Resolution

This issue has been reported to our Symantec Development team. Changes has been included in ITMS 8.0 HF5 and later to handle this situation accordingly to the Microsoft changes done in Windows Server 2012 and Windows 8.

The official suggestion from Microsoft is to remove all non self-signed certificates from Trusted Root, described here:

https://support.microsoft.com/en-us/kb/2802568

The changes in SSL are described here:

https://technet.microsoft.com/en-us/library/hh831771.aspx

Actions to fix the problem:

 Copy all the issuer certificates from your certificate chain to "Client Authentication Issuers" store for Local Computer.

  • The "mmc.exe" console should be used for this.

When IIS bindings are already created, the system SSL records need to be modified to point to the correct store. Since command line tool does not support editing, we need to recreate the system binding:

  1. Get information about existing binding:

    netsh http show sslcert

    This command will dump existing bindings information. Find the port that represents desired binding.

    NOTE: Save the port, application ID, and certificate thumbprint information somewhere (it will be required at step 3).

  2. Remove the existing binding configuration, e.g.:

    netsh http delete sslcert ipport=0.0.0.0:443

  3. Recreate the binding, e.g.:

    netsh http add sslcert ipport=0.0.0.0:443
    certhash=0b2261ebcbda378c69251942651c46e7cc73674a
    appid={4dc3e181-e14b-4a21-b022-59fc669b0914} sslctlstorename=ClientAuthIssuer

    Important note! The "ipport", "appid" and "certhash" must be set to values obtained at step 1. If you are re-using the same certificate, the certhash will be the same. If you are replacing the certificate, please import the new certificate, then copy the certhash and use that when you are rebinding the certificate at the command line. The appid will be the same one that you gathered earlier.

    No restarts are needed.