Submit a ticketCall us

Training ClassSign up for Network Performance Monitor (NPM) and Scalability instructor-led classes

Attend our instructor-led classes, provided by SolarWinds® Academy, to discuss the more advanced monitoring mechanisms available in NPM as well as how to tune your equipment to optimize its polling capabilities. NPM classes offered:
NPM Custom Monitoring and Polling
Orion Platform Scalability

Reserve your seat.

Home > Success Center > Orion Platform > Orion - Knowledgebase Articles > Troubleshoot issues with the Orion Web Console's SSL certificate

Troubleshoot issues with the Orion Web Console's SSL certificate

Updated October 22, 2018

Overview

You may experience issues like the following with the Orion Web Console when it is configured to use SSL. 

  • The web browser cannot establish an HTTPS connection.
  • The web browser returns something similar to the following error: "Your connection is not secure."
  • The top menu disappears.

 

If you run the SolarWinds Active Diagnostics tool, the "Check site certificates" test fails with one of the following descriptions:

  • The certificate assigned to https://webconsole.host:port binding is not found in the certificates store.
  • The certificate assigned to https://webconsole.host:port binding is invalid.
  • The certificate assigned to https://webconsole.host:port binding is not a server certificate.
  • The certificate assigned to https://webconsole.host:port binding is revoked or parent certificates in the chain are revoked.
  • The certificate assigned to https://webconsole.host:port binding can not be used for client authentication.
  • The certificate assigned to https://webconsole.host:port binding does not match.
  • The certificate assigned to https://webconsole.host:port binding does not have read permissions for the application pool user [User] to access the private key.

https://webconsole.host:port is your full Orion Web Console website binding information, including hostname and TCP port number.

Environment

Any products running on Orion Platform version 2017.1 and later, such as:

  • NPM 12.1
  • SAM 6.4

Cause

The SSL certificate assigned to the Orion Web Console is invalid for different reasons. Any one of the reasons can cause the same symptoms.

 

The certificate assigned to https://webconsole.host:port binding is not found in the certificates store.
The SSL certificate may be deleted from the certificates store.

The certificate assigned to https://webconsole.host:port binding is invalid.
The SSL certificate is invalid, for reasons such as:

  • It is expired
  • It is self-sighed and is not placed into the Trusted Root Certification Authorities store,
  • The parent certificate in the chain is not found

The certificate assigned to https://webconsole.host:port binding is not a server certificate.
The SSL certificate does not have "Server Authentication" selected or it is disabled.

The certificate assigned to https://webconsole.host:port binding is revoked or parent certificates in the chain are revoked.
The SSL certificate is revoked or the parent certificates in the chain are revoked.

The certificate assigned to https://webconsole.host:port binding can not be used for client authentication.
The IIS Client Certificates Mapping Authentication module is installed and the Client certificates setting in the SSL Settings for the Orion Web Console site is set to Require. In that case, the SSL certificates must have "Client Authentication" selected and be enabled.

The certificate assigned to https://webconsole.host:port binding does not match.
The SSL certificate Issued To (CN) field does not match server's FQDN nor partially matches FQDN using wildcards.

The certificate assigned to https://webconsole.host:port binding does not have read permissions for the application pool user [User] to access the private key.

The SSL certificate does not have read permissions for the application user to access the private key. 

 

Resolution

If the Orion Web Console has only one binding, which is the recommended configuration, you can fix the issue by running the SolarWinds Configuration Wizard and reconfiguring the website. Clear the Skip website binding check box and select a valid certificate marked green. Please refer to Configure the Orion Web Console to use SSL for details.

The error The certificate assigned to https://webconsole.host:port binding can not be used for client authentication requires additional steps (see below).

 

If the Orion Web Console has multiple bindings, run Active Diagnostics and follow the resolution steps for the returned error message.

  1. Log on to the Orion server as an administrator.
  2. Open Active Diagnostics, located by default in C:\Program Files (x86)\SolarWinds\Orion\ActiveDiagnostics.
  3. Run individual tests.
  4. Select Check site certificates.

 

The certificate assigned to https://webconsole.host:port binding is not found in the certificates store


Install and assign an SSL certificate to the binding that failed. Refer to Add and assign certificate for web console for specific steps.

The certificate assigned to https://webconsole.host:port binding is invalid

 

  1. Log on to your main Orion server with local administrator privileges.
  2. Run IIS Manager.
  3. Expand Sites in the left pane.
  4. Select the SolarWinds NetPerfMon site.
  5. Click Bindings... in the right pane.
  6. Select the binding and click Edit.
  7. Select the SSL certificate and click View.
  8. Read the issue description under Certificate information on the General tab.
    • Try fix the issue yourself or select another valid certificate. You may need to acquire and install a new certificate if the current certificate is expired.
    • Navigate to the Certification Path tab and ensure there no certificates with red marks there. Consult your web administrator on how to fix such issues.

The certificate assigned to https://webconsole.host:port binding is not a server certificate

  1. Log on to your main Orion server with local administrator privileges.
  2. Run IIS Manager.
  3. Expand Sites in the left pane.
  4. Select the SolarWinds NetPerfMon site.
  5. Click Bindings... in the right pane.
  6. Select the binding and click Edit.
  7. Select the SSL certificate and click View.
  8. Navigate to the Details tab.
  9. Scroll down and copy the Thumbprint value.
  10. Run certlm.msc.
  11. Right-click Certificates - Local Computer and select Find Certificates.
  12. Paste theThumbprint value into the Contains: field.
  13. Select SHA1 Hash in the Look in Field field.
  14. Click Find Now.
  15. Right click the certificate in the search result pane and choose Properties.
  16. Ensure that Server Authentication is listed in Certificate purposes, and is enabled as shown.

The certificate assigned to https://webconsole.host:port binding is revoked or parent certificates in the chain are revoked.

  1. Log on to your main Orion server with local administrator privileges.
  2. Run IIS Manager.
  3. Expand Sites in the left pane.
  4. Select the SolarWinds NetPerfMon site.
  5. Click Bindings... in the right pane.
  6. Select the binding and click Edit.
  7. Select the SSL certificate and click View.
  8. Navigate to the Certification Path tab
  9. Check and fix issues with certificates that are marked red. Consult your web administrator on how to fix such issues.

The certificate assigned to https://webconsole.host:port binding can not be used for client authentication.

  1. Log on to your main Orion server with local administrator privileges.
  2. Run IIS Manager.
  3. Expand Sites in the left pane.
  4. Select the SolarWinds NetPerfMon site.
  5. Click Bindings... in the right pane.
  6. Select the binding and click Edit.
  7. Select the SSL certificate and click View.
  8. Navigate to the Details tab.
  9. Scroll down and copy the Thumbprint value.
  10. Run certlm.msc.
  11. Right-click Certificates - Local Computer and select Find Certificates.
  12. Paste theThumbprint value into the Contains: field.
  13. Select SHA1 Hash in the Look in Field field.
  14. Click Find Now.
  15. Right click the certificate in the search result pane and choose Properties.
  16. Ensure that both Server Authentication and Client Authentication are listed and enabled in the Certificate purposes. You may need acquire and install a new certificate if the current one does not have Client Authentication.

The certificate assigned to https://webconsole.host:port binding does not match

Install and assign an SSL certificate to the binding that failed. The certificate (CN) field should match server's FQDN or partially match FQDN using wildcards. Refer to Add and assign certificate for web console for specific steps.

The certificate assigned to https://webconsole.host:port binding does not have read permissions for the application user [User] to access the private key.

  1. Launch Orion Permission Checker (SolarWinds\Orion\OrionPermissionChecker.exe).
  2. Click Repair.

You can also find the certificate key file and grant permissions manually.

 

 

Last modified

Tags

Classifications

Public