After upgrading to 10.8, connections to highly available ArcGIS Enterprise portals through port 7443 show the certificate is untrusted

Description

Certificates used in highly available portals may be reset to the default, self-signed certificates during upgrade.

Cause

Only one custom certificate alias is stored with the portal. The alias of that certificate must match the alias set for the certificate on the primary machine. If the aliases of the custom certificates are different on the standby and primary portal machines, and you imported the standby machine’s certificate after importing the primary machine’s certificate, the portal stores the alias set for the standby machine. When you upgrade, the certificate alias stored in the portal does not match the alias of the certificate on the primary machine, which causes the upgrade to reset the certificates to the default, self-signed certificates that have an alias of portal.

For example, if you configure your primary portal machine with a certificate from a certifying authority (CA) and set the alias to p1, and then you configure your standby portal machine with a CA certificate and set the alias to p2, the p2 alias is stored in the portal. When you upgrade to Portal for ArcGIS 10.8, the upgrade procedure compares the stored alias (p2) with the certificate found on the primary machine (p1). Because they do not match, the upgrade procedure resets both portal machines to use the default, self-signed portal certificate. When you access either machine through port 7443—in other words, you open https://p1.domain.com:7443/arcgis/ or https://p2.domain.com:7443/arcgis—you will see messages indicating that the certificate is untrusted.

Solution or Workaround

After the Portal for ArcGIS upgrade completes, update the certificate on each portal machine to use the custom certificates you previously imported. The certificate remains imported; therefore to update the certificate, replace the alias of the default certificate (portal) with the alias you used when you initially imported the custom certificates. Follow these steps to update the certificate alias:

1. Sign in to the ArcGIS Portal Administrator Directory for the standby machine as a member of the default administrator role. The URL is in the format
   https://loadbalancerhost.domain.com/loadbalancername/portaladmin
2. Click Machines > [machine name] > Security > SSLCertificates > update, and update the alias name.
3. Sign in to the ArcGIS Portal Directory for the primary machine as a member of the default administrator role.
4. Click Machines > [machine name] > Security > SSLCertificates > update, and update the alias name.
5. Restart the Portal for ArcGIS service.

This affects platforms (Windows, Linux, on-premises deployments, cloud deployments) / upgrades from a highly available Portal for ArcGIS, releases 10.4.x, 10.5.x, 10.6.x and 10.7, to Portal for ArcGIS 10.8 or later.

If you are still encountering this problem after following these steps, please contact Esri Technical Support to resolve this issue.