none
Error: Trunk "https" cannot be activated due to the following: Certificate you selected does not exist. RRS feed

  • Question

  • I am in process of setting up a UAG2010 2nd node  arrary running on vSphere 4.1 U1, Stnd vSwitch, and MAC address changes are "allowed"

     

    I setup my NICs like this (pretty much but IPs are changed a bit).  
    http://social.technet.microsoft.com/wiki/contents/articles/how-to-install-uag-for-application-publishing-on-a-single-network.aspx

    My both NICs on each UAG member are on my inside network, I just point my external FW to the UAG01 external IP (and later to the vIP of the MS NLB IP address).

    UAG01 inside =192.168.1.205
    UAG01 outside = 192.168.1.204

    UAG02 inside = 192.168.1.207
    UAG02 outside = 192.168.1.206

    I created a wildcard  *.domain.com using this procoess on my UAG01 server
    http://www.robbagby.com/iis/self-signed-certificates-on-iis-7-the-easy-way-and-the-most-effective-way/

     

    But after making UAG01 the Array master, and joining UAG02 to the array I get this error:

    Error: Trunk "https" cannot be activated due to the following:  Certficate you selected does not exist.  Please select another ceftificate from the ceftificat list of the ... "

    When the array is formed wont it copy over the SSL cert from UAG01 to UAG02 by sharing the configuration?  Or should I follow the self-signed SSL cert process again on the UAG02 server?

     

     

     

    ?

     

    Thanks.

     

     


    Thursday, August 25, 2011 6:47 PM

Answers

  • Hi Jonathan,

    When you activate the UAG configuration, or when the array is created, the SSL certificates are not copied from one UAG node to another. You need to manually export the certificate from UAG01, where you currently have it (assuming that the certificate is exportable) and then import it onto your second UAG server.

    Regards,


    -Ran
    Thursday, August 25, 2011 7:14 PM
  • Hi Jonathan,

    as Ran already told the certificates are not getting replicated between the UAG nodes and have to be installed manually,

    Make sure you wont create a new certificate on the second node. It has to be exactly the same certificate on both node pre-installed, since UAG will match those certificates by using the unique certificate fingerprint. So using only the same certificate CNAME again, wouldn't be enoght...

    -Kai 



    Thursday, August 25, 2011 7:26 PM

All replies

  • Hi Jonathan,

    When you activate the UAG configuration, or when the array is created, the SSL certificates are not copied from one UAG node to another. You need to manually export the certificate from UAG01, where you currently have it (assuming that the certificate is exportable) and then import it onto your second UAG server.

    Regards,


    -Ran
    Thursday, August 25, 2011 7:14 PM
  • Hi Jonathan,

    as Ran already told the certificates are not getting replicated between the UAG nodes and have to be installed manually,

    Make sure you wont create a new certificate on the second node. It has to be exactly the same certificate on both node pre-installed, since UAG will match those certificates by using the unique certificate fingerprint. So using only the same certificate CNAME again, wouldn't be enoght...

    -Kai 



    Thursday, August 25, 2011 7:26 PM
  • Thanks guys,  ITS WORKING NOW..

     

    I went into IIS / Server Certificates / exported my SSL signed wildcard cert and gave it a password and put it on the root of UAG (ie \\UAG02\c$)

     

    I then imported it, by loading IIS manager on UAG02 and importing the cert form the root of its C:\ drive.  But then to confirm it was set in the UAG GUI, (which maybe was stupid).  I made UAG02 the array master, and then set the *.domain.com cert in the trunk using the UAG GUI. 

     

    Now I just have to reset my Array master..  As UAG seems confused of who is the array master now, perhaps I borked this up a bit.. Seems like it sorta thought each of them were a master...

    seems a tiny VBS script is in order to replicate these certs around, I could see this being a pain if you had an 8 member UAG array... Is there really a need to set the cert in the GUI, or just import it?

     

     

     

     



    Thursday, August 25, 2011 8:02 PM
  • Hi Amig@. The certificate must be imported in all the nodes of the array. No need to import to the IIS site. Just to import it to the Computer certificates store (mmc->Certificates). The certificate will be associated to the trunk (and thus to IIS site) when the configuration is applied from the GUI and this will apply to all nodes. No need to change the array manager and so on.
    // Raúl - I love this game
    Friday, August 26, 2011 7:12 AM