- Getting Started
- Requirements
- Hardware Requirements
- Software Requirements
- Using a Certificate for the HTTPS Protocol
- Best Practices
- Installation
- Updating
- Identity Server
- Troubleshooting startup errors
Using a Certificate for the HTTPS Protocol
This section provides an explanation on how to enable the HTTP protocol for the communication between Orchestrator and the Robots.
It is preferable to use a SAN SSL certificate submitted to a Certificate Authority rather than a self-signed one because no certificate has to be installed on Robot computers in the former case. The SAN SLL certificate issued by the Certificate Authority is trusted by all the computers in the domain.
If the primary Orchestrator machine is registered into an Active Directory that has a local Certificate Authority and an auto-enrollment policy, the user may fill a certificate request, as described in the following procedure.
If you need to quickly create an SSL certificate for testing purposes only, you may create a self-signed SAN SSL certificate.
Open a PowerShell console as administrator, and issue the following commands. Don’t forget to customize values according to your environment.
$ssc = New-SelfSignedCertificate -FriendlyName "TestingCertificate" -DnsName "loadbalancer.domain.local","node1.domain.local","node2.domain.local"
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store( "Root", "LocalMachine")
$store.Open("MaxAllowed")
$store.Add($ssc)
$pass = ConvertTo-SecureString -String "myPass" -Force -AsPlainText
Export-PfxCertificate -Cert $ssc -FilePath "C:\temp\testingCertificate.pfx" -Password $pass
$ssc = New-SelfSignedCertificate -FriendlyName "TestingCertificate" -DnsName "loadbalancer.domain.local","node1.domain.local","node2.domain.local"
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store( "Root", "LocalMachine")
$store.Open("MaxAllowed")
$store.Add($ssc)
$pass = ConvertTo-SecureString -String "myPass" -Force -AsPlainText
Export-PfxCertificate -Cert $ssc -FilePath "C:\temp\testingCertificate.pfx" -Password $pass
C:\temp\testingCertificate.pfx
file for later use.
Once the certificate has been created, make sure that:
-
If ApplicationPoolIdentity is used, in the certificate console, navigate to Personal > Certificates. Then, right-click your personal Orchestrator certificate, select All Tasks > Manage Private Keys, and give full permissions to both IIS AppPool\Identity and IIS_IUSRS.
-
If a custom account is used, in the certificate console, navigate to Personal > Certificates. Then, right-click your personal Orchestrator certificate, select All Tasks > Manage Private Keys, and give full permissions to the custom user that is set on the Orchestrator Application Pool.
IIS AppPool\Identity and IIS_IUSRS are local groups and should be searched for under local machine, not under domain.
In order to make the self-signed certificate available on others machines (secondary Orchestrator nodes / Robot machines), open a PowerShell console as administrator, and issue the following commands.
$pass = ConvertTo-SecureString -String "myPass" -Force -AsPlainText
$imported = Import-PfxCertificate -FilePath "C:\temp\testingCertificate.pfx" -CertStoreLocation Cert:\LocalMachine\My\ -Exportable -Password $pass
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store( "Root", "LocalMachine")
$store.Open("MaxAllowed")
$store.Add($imported)
$pass = ConvertTo-SecureString -String "myPass" -Force -AsPlainText
$imported = Import-PfxCertificate -FilePath "C:\temp\testingCertificate.pfx" -CertStoreLocation Cert:\LocalMachine\My\ -Exportable -Password $pass
$store = New-Object System.Security.Cryptography.X509Certificates.X509Store( "Root", "LocalMachine")
$store.Open("MaxAllowed")
$store.Add($imported)
Firefox handles the process a bit differently, as it does not read the certificate information in the Windows store. Rather than installing certificates, it allows you to define exceptions for SSL certificates on particular sites.
When you visit a site which has a certificate error, the warning message in the screenshot below is displayed. The URL you are trying to access is displayed in the blue area. To create an exception to bypass this warning on that specific URL:
UiPathOrchestrator.msi
(during installation or upgrade), here is where you can start your troubleshooting:
From Control Panel:
- Open Manage Computer Certificates -> Personal -> Certificates. Identify your certificate and double-click it. In the General tab there should information about its validity.
- From a command line, run the following command to diagnose the certificate:
certutil -v -verifystore My <certificateThumbprint>
- its summary is at the end of the output.
An internal server error may occur if the certificate does not have the appropriate permissions set. Run the following as Admin to grant the necessary permissions:
import-module WebAdministration
$siteName = 'UiPath Orchestrator'
$binding = (Get-ChildItem -Path IIS:\SSLBindings | Where Sites -eq $siteName)[0]
$certLoc = "cert:\LocalMachine\MY\$($binding.Thumbprint)"
$cert = Get-Item $certLoc
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\"
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keyFullPath = $keyPath + $keyName
$acl = (Get-Item $keyFullPath).GetAccessControl('Access')
$permission="IIS_IUSRS","Full","Allow"
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.AddAccessRule($accessRule)
Set-Acl -Path $keyFullPath -AclObject $acl
import-module WebAdministration
$siteName = 'UiPath Orchestrator'
$binding = (Get-ChildItem -Path IIS:\SSLBindings | Where Sites -eq $siteName)[0]
$certLoc = "cert:\LocalMachine\MY\$($binding.Thumbprint)"
$cert = Get-Item $certLoc
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\"
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName
$keyFullPath = $keyPath + $keyName
$acl = (Get-Item $keyFullPath).GetAccessControl('Access')
$permission="IIS_IUSRS","Full","Allow"
$accessRule = New-Object -TypeName System.Security.AccessControl.FileSystemAccessRule -ArgumentList $permission
$acl.AddAccessRule($accessRule)
Set-Acl -Path $keyFullPath -AclObject $acl
After running the script, make sure that:
-
If ApplicationPoolIdentity is used, in the certificate console, navigate to Personal > Certificates. Then, right-click your personal Orchestrator certificate, select All Tasks > Manage Private Keys, and give full permissions to both IIS AppPool\Identity and IIS_IUSRS.
-
If a custom account is used, in the certificate console, navigate to Personal > Certificates. Then, right-click your personal Orchestrator certificate, select All Tasks > Manage Private Keys, and give full permissions to the custom user that is set on the Orchestrator Application Pool.
IIS AppPool\Identity and IIS_IUSRS are local groups and should be searched for under local machine, not under domain.
If you are encountering errors when trying to change your Insights certificate, make sure to follow the instructions provided in Updating the Insights Certificate.
If a certificate error occurs when using Chromium-based browsers, create a self-signed certificate with a digital signature as follows:
-FriendlyName
parameter. If your Orchestrator machine is running this operating system, you need to take the following steps to create
a self-signed SAN SSL certificate:
- Requesting a SAN SSL Certificate From the Certificate Authority
- Creating a Self-Signed SAN SSL Certificate
- Creating a Self-Signed SSL Certificate on the Primary Orchestrator Machine
- Importing the SAN Self-Signed Certificate to Other Machines
- Firefox – Allowing Exceptions
- Troubleshooting Certificates
- Internal Server Error
- Insights Certificate Error
- Chromium-based browsers certificate error
- Creating a Self-Signed SAN SSL Certificate on a Windows Server 2012 R2 Orchestrator Machine