Package Server is not publishing HTTPS codebases.
search cancel

Package Server is not publishing HTTPS codebases.

book

Article ID: 172128

calendar_today

Updated On: 11-11-2024

Products

IT Management Suite

Issue/Introduction

You noticed that after you installed the package service on your Site Server, it only provides UNC or HTTP codebases, even when selectomg "Publish HTTPS codebase" (under Settings>All Settings>Notification Server>Site Server Settings>Package Service>Package Service Settings).

From the agent logs you can see that virtual directories are being created, this means all required IIS features are installed.

Environment

SMP 8.x

Cause

IIS for some reason didn't bind to port 443 on the assigned certificate even though IIS shows a certificate is bound to it.
The HTTPS codebases also depend aon bindings in the IIS. If those are not OK, the HTTPS is not configured and not showing up in the UI.
The bindings do exist, but not only in IIS, they are also configured in Windows level (visible by “netsh http show sslcert” cmd command), and if some app is changing the Windows binding, the IIS does not know anything about it and could show old values in their own UI. They have a complicated relationships. Also, if the “Force” flag is not set in the Package Server (PS) policy, it could happen that the Agent (on the PS) will not (re)create/update the binding, if it decides that binding is not our own.

One thing to consider is that the Package Service on the SMP is not recommended since the SMP by nature is a package server and is already providing codebases to any client or package server that needs those packages.

Resolution

Check the following KB Articles first, just in case the server is missing important IIS feature settings:

"Package Server only publishes UNC codebases even when IIS is installed", if Required IIS Features are missing (KB 164960)

In this particular case, we had to do the following:

  1. Open the bindings section on the Default Web Site (under IIS Manager>Server name>Sites>Default Web Site >on the right pane click on Bindings)
  2. Select the HTTPS type on port 443
  3. Click the EDIT button. Change the SSL CERTIFICATE in the drop-down from the currently in use certificate to NOT SELECTED.
  4. Then without clicking the OK button, change it back to use the previously selected SSL certificate.
  5. Click the OK button to return to the Site Bindings window. Then click the CLOSE button.
    NOTE: you can also delete and create back the binding for port 443 instead of doing steps 3-5 above)

Once that was done, go to the Agent UI>Package Server tab>Refresh All Packages and now HTTPS codebases are generated.

Note:

If the suggestion above works but after rebooting the package server the error "Package Server could not access own Web Site using HTTPS" comes back again then please try the following:

On the SMP Console, under Settings>Notification Server>Site Server Settings, find the affected Package Server under "Site Servers" and click on "Override the global settings by custom settings" for the "Certificates Rollout" section (depending on the SMP version, it may be called "Web Configuration" section).

Make sure to:

  1. Select "Install intranet certificate"
  2. Use Port 443
  3. Select "Force overwrite HTTPS binding"
  4. Select "Use master certificate"
  5. Unselect "Install CEM certificate" (since these were no CEM site servers)
  6. Enable policy.

After the package server gets the new configuration, restart the Altiris agent service. Check if the error is still present.

Note: In another version, it may look like this:

  1. Select "Configure HTTPs binding" under Configure HTTPs on site servers
  2. Use Port 443
  3. Select "Force overwrite HTTPS binding"
  4. Select "Install certificate"
  5. Select "Use master certificate"
  6. Unselect "Install CEM certificate" (since these were not CEM site servers)
  7. Enable policy.