Renewing OAuth Certificates

Question

Hello fellow Aras developers,Here's another niche topic I recently had to tackle:&nbsp;renewing OAuth certificates.If you've been applying Aras patches (upgrade packages) over the years, your OAuth certificates are likely outdated. They expire every few years depending on your configuration and need renewal.I found several instructions online for manually replacing certificates, but they consistently resulted in:Authentication errors on sign-inANCM Out-Of-Process Startup FailureAfter multiple attempts working with Aras Support, I took a different approach:Downloaded the out-of-the-box installer for our version (Release 36) and ran it on our production environment. Yes, even though the upgraded Release 36 was already installed.Selected 'Custom Installation' and chose ONLY the OAuth module. This generated a clean OAuth folder with a fresh set of certificates.Copied (overwrite) all the certificates (CTRL + A) into these directories (probably overkill, but redundant certs are harmless and it makes the process much faster):OAuthServer\App_Data\Certificates\Innovator\Server\App_Data\Certificates\Innovator\Client\App_Data\Certificates\SelfServiceReporting\App_Data\Certificates\VaultServer\App_Data\Certificates\Updated the OAuth.config file in \OAuthServer\ with our internal production endpoint.iisreset (from command prompt as Administrator)Note:&nbsp;If you run the installer on a machine that already hosts an existing Aras instance, make sure to run changeguid.exe on the innovatorsetup.msi first to avoid impacting the current installation.Done!Please let me know if this helped and/or how I can improve this post. Let's make it a community effort to have up-to-date information for all of us.

angela · Answer

Important topic!!! Expiring certificates are a know issue. There is a hidden article in the subscriber portal by Bill Turner from Support. In addition the "CreateOAuthCertificate" fix is literally placed next to every installation package on the Aras FTP, but people hardly notice it.

We even have this forum solution, which helped many people back then, but today it’s not as well-known anymore: How to update expire Aras certifies | Aras
The solution shown was one of the most-liked posts in this forum´s history, highlighting just how desperate people were to resolve this issue

I am surprised that you got "Authentication errors on sign-in"! From my experience this issue mainly affected the file vault. And I am even more surprised you needed multiple attempts with support. Has the behavior of expired certificates changed in the latest versions?

I like your solution with the installer. Seems much more easier than doing the manual certification. I always needed a few attempts to create working certificates. Most important tip for everyone: Use plenty of calendar reminders so you don't forget to rebuild the certificates before they expire. :)

I assume we’ll start seeing this issue more often soon, because I14 users mainly perform patch upgrades instead of the full upgrades we had when moving from I12 to I14. Fun times ahead!

kevinf · Answer

That is the process I have been using for several years as I couldn't seem to get the documented steps to work correctly (user error I'm sure as I know the steps work).&nbsp; &nbsp; Creating a dummy install is very quick and all of my environments accept the new certs from my local dummy install.&nbsp; &nbsp;The only thing I would add is when running the installer in a location that already has aras is use the changeguid.exe on the innovatorsetup.msi to avoid messing up the previous install.&nbsp; I just install it in a dummy location on my local PC and copy to my servers.

bpye_eosdefencesystems_com · Answer

Wish I'd seen this a few months ago. Was upgrading from V22 to V30 all went well then my security certs expired, by coincidence, the day after the upgrade. Replacing the certs according to the information that I had resulted in errors (can't recall what they were but basically the entire system was unusable). Had to do a complete re-install of a vanilla system and then upgrade/import the changed bits in a very hasty rush to recover the situation as I couldn't just restore the previous version because the certs were going to expire independent of the upgrade. Your solution would have saved me so much heartache.

daantheoden · Answer

I hope it can be of help in the future. Thank you for letting me know, these type of comments are the exact reason why I keep posting here.

daantheoden · Answer

Thank you for your response Angela!Yes, that was one of the two guides that I have used. If the Innovator behaviour related to OAuth certs has changed over the years is something I can't tell. This was the first time we had to renew.&nbsp;I hope people will let us know if they face issues and how they resolved it so I can keep improving this quick guide.&nbsp;

Forum Discussion

Renewing OAuth Certificates

6 Replies

Recent Discussions

Release date of the next open release?

How is the Template field in the consultation Document used?

How to use "In" Operator in TGV query builder

Release 39 - we need to talk!!!

Aras DevOps CI outage - affecting anyone else?