Search for answers or browse our knowledge base

Click here for Partner information on Installing and Upgrading

Login here for full access

Troubleshooting Certificate Issues

Updated on December 8th, 2022

Table of Contents

X
Certificates and the integration with Curator Gateway and Services

Certificates and the integration with Curator Gateway and Services

What Services need a certificate?

Curator Server needs its own certificate, this is what we use with the thumbprint in its config.

Curator Gateway/IIS host of all websites (except XChange Manager - for now)

 If the above are configured on the same server, you will only need the one SSL certificate.

If on separate servers, you'll need either:

Two separate SSL certificates that cover each FQDN, that's host name and domain name that the DNS can resolve to on this server.

or

A wildcard SSL certificate that covers the *.domain or SANs for each host.

With wildcard certificates, be aware that a certificate of *.domain will work for a host hostname.domain but WON'T work for a host hostname.subdomain.domain in this case you would need the wildcard to be *.subdomain.domain.

In the same light you can have SANs on your certificate, so as long as those match to what you need as well, you should be OK.

Errors you may come across:

 ERROR Curator Server - Curator Server - [CCuratorServerService, Start] - A specified logon session does not exist. It may already have been terminated

This is probably caused by the certificate you have setup with the curator server service.

Open the MMC snap in and load the certificate store.

Find the cert you installed.

Does it have a key in the top left corner of its icon. If not then you didn't install the cert correctly, it's missing its private key, and won't work correctly. Typically we would expect to get this above error if the cert was installed directly onto a server with no IIS. If the cert is a wildcard, or contains all the SANs you need for all your servers, then the fix is pretty easy. On the IIS server where you have installed the cert via completing an IIS cert install, you can open the mmc cert store on that server and the key icon should be present, if so, EXPORT this key with its private key and use to install on another server that the SAN or wildcard can be sued for.

Alternatively get the cert provider to give you a PFX version of the key to install rather than just the crt.

 

Fatal Error - Error getting filter view columns - The caller was not authenticated by the servicecurator_error.png

This is a common issue when missing the right config in the curator server service config.

Typically its because the section:

<bearerTokenbehaviour> has an incorrect authority link.

If your gateway address is not the correct FQDN here the auth check wont work, i.e. HOSTNAME/CuratorGateway won't be enough, it must be HOSTNAME.domain/CuratorGateway.

This would be the same HOSTNAME.domain as the certificate for your IIS host that hosts Curator Gateway.

 

The caller was not authenticated by the service

pe_error.png

In the Process Engine service config, look for the section:

<IdentityHttpClientConfiguration>

And check the authority value, this should be again the FQDN and not just the host name of the Curator Gateway server.

Again the <bearerTokenBehaviour> section will also need to be the same.

Be sure to restart the service once the config changes have been confirmed.

 

Was this article helpful?

Related Questions