ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Package Server is not publishing HTTPS codebases.

book

Article ID: 172128

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

The customer noticed that after he installed the package service on his Site Server only provides UNC or HTTP codebases, even when he has selected "Publish HTTPS codebase" (under Settings>All Settings>Notification Server>Site Server Settings>Package Service>Package Service Settings).

From the agent logs we can see that virtual directories are being created, this means all required IIS features are installed.

Cause

IIS for some reason didn't bind to port 443 the assigned certificate even though IIS showed a certificate bound to it.
The HTTPS codebases depend also on bindings in the IIS. If those are not OK, the HTTPS is not configured and not show up in the UI.
The bindings do exist not only in IIS, they are also configured on Windows level (visible by “netsh http show sslcert” cmd command), and if some app is changing the windows binding, the IIS do not know anything about it and could show old values in the own UI. They have a complicated relationships. Also, if “Force” flag is not set in PS policy, it could happen that Agent (on the PS) will not (re)create/update the binding, if it decides that binding is not our own.

One thing to consider is that Package Service on the SMP is not really recommended since the SMP by nature is a package server already providing codebases to any client or package server that needs those packages

Environment

Windows Server 2012 R2
SMP 8.1 and later

Resolution

Check first the following KBs just in case you are not missing important IIS feature settings:

164960 Package Server only publishes UNC codebases even when IIS is installed, if Required IIS Features are missing

160917 Required IIS features for the package server

In this particular case, we had to do the following:

  1. Open the bindings section on the Default Web Site (under IIS Manager>Server name>Sites>Default Web Site>on the right pane click on Bindings)
  2. Select the HTTPS type on port 443
  3. Click the EDIT button. Change the SSL CERTIFICATE in the drop-down from the currently in use certificate to NOT SELECTED.
  4. Then without clicking the OK button, change it back to use the previously selected SSL certificate.
  5. Click the OK button to return to the Site Bindings window. Then click the CLOSE button.
    NOTE: you can also delete and create back the binding for port 443 instead of doing steps 3-5 above)


Once that was done, go to the Agent UI>Package Server tab>Refresh All Packages and now HTTPS codebases are generated.

Note:

If the suggestion above works but after rebooting the package server the error "Package Server could not access own Web Site using HTTPS" comes back, please try the following:

On the SMP Console, under Settings>Notification Server>Site Server Settings, find the affected Package Server under "Site Servers" and click on "Override the global settings by custom settings" for the "Certificates Rollout" section (depending on the SMP version, it may be called "Web Configuration" section).


Make sure to:

  1. Select "Install intranet certificate"
  2. Use Port 443
  3. Select "Force overwrite HTTPS binding"
  4. Select "Use master certificate"
  5. Unselect "Install CEM certificate" (since these were no CEM site servers)
  6. Enable policy.

After the package server gets the new configuration, restart the Altiris agent service. Check if the error is still present.

Note:
In another version, it may look like this:

  1. Select "Configure HTTPs binding" under Configure HTTPs on site servers
  2. Use Port 443
  3. Select "Force overwrite HTTPS binding"
  4. Select "Install certificate"
  5. Select "Use master certificate"
  6. Unselect "Install CEM certificate" (since these were no CEM site servers)
  7. Enable policy.

Attachments