NFA side is all set up for full https.
You can go to the NetOps Portal and go to the Administration, Data Sources page. Edit the NFA data source and make sure the checkbox is set so both the data source and website use 1 set of parameter. Make sure nfa is being contacted via the name you used for ApplyHTTPS or another resolvable name found within the certificates Subject Alternative Names. The scheme should be https and port 443. Make sure the test works. If it does, hit save and you're done.
Original Message:
Sent: May 02, 2025 10:12 AM
From: Miller Echagarreta
Subject: keytool error: java.lang.Exception: Failed to establish chain from reply
HiJustin, yes I see that with the option PFX requested the FQDN
Now, what do you recommend ?
Original Message:
Sent: May 01, 2025 09:22 AM
From: Justin Signa
Subject: keytool error: java.lang.Exception: Failed to establish chain from reply
Nice job.
At this point you are likely done. One thing is that I don't know if NFA was set up to use RIB/OData/SOAP HTTPS?
If not, this may be something to consider.
To determine if you are already using RIB/OData/SOAP HTTPS, just let me know if ApplyHTTPS prompted you for the FQDN or not during the PFX option. If not you are likely just running with IIS/SSO in HTTPS. We can touch more on this once you get back to me if the Tool prompted you for FQDN or not. Feel free to upload the log output here as well.
Thanks,
Justin Signa
Original Message:
Sent: Apr 30, 2025 06:58 PM
From: Miller Echagarreta
Subject: keytool error: java.lang.Exception: Failed to establish chain from reply
Thanks Justin...
Only applied the option 1 with pfx file. Question: Is necessary run the option 2 for IIS ?
I see that NFA is working with the new certificate.
Original Message:
Sent: Apr 30, 2025 06:13 PM
From: Justin Signa
Subject: keytool error: java.lang.Exception: Failed to establish chain from reply
Miller,
You can either use option 1 as a pfx option where you just point it the file or you can import the pfx into IIS/Windows Cert Store and then use the IIS option 2 to select right from the IIS/Windows certificate store.
If you have any issues, tomorrow we can do a call.
Thanks,
Justin Signa
Original Message:
Sent: Apr 30, 2025 05:22 PM
From: Miller Echagarreta
Subject: keytool error: java.lang.Exception: Failed to establish chain from reply
Yes, was necessary import with the option 3 the root and intermediate certificate. So the certificate of the portal was installed with the option 6.
Now, i think tha i need configure the IIS for use the certificate right ? I am using the option 1 (setup HTTPS) and the option 2 (Use an IIS installed certificate), but the new certificate not appear..
Do I need to take any action before configuring the certificate in IIS? Or is it not necessary? I just restart the NFA services and the certificate will be applied?
Original Message:
Sent: Apr 30, 2025 03:15 PM
From: Justin Signa
Subject: keytool error: java.lang.Exception: Failed to establish chain from reply
Miller,
The Root and Intermediate certificates often change and if not, during upgrades, CACERTS truststore gets deleted.
You can use option 3 to import the root and intermediate certs into CACERTS and then run option 6 again to complete the keystore file you are trying to build.
Thanks,
Justin Signa
Original Message:
Sent: Apr 30, 2025 01:31 PM
From: Miller Echagarreta
Subject: keytool error: java.lang.Exception: Failed to establish chain from reply
Hi Everyone.
For a renew of certificate of the portal NFA, i generated the CSR with the "nfa-applyhttps-tool", now, I am installing the certificate, but this procedure, generate a failed...
What am i doing bad ?