Earlier this year, I wrote a post about running the SharePoint 2013 App Store behind a web proxy. It went over the instructions on how to configure the SharePoint application to recognize and direct App Store traffic through your web proxy to make the App Store functionality work properly.
Now that we’ve moved from a test environment towards our production, the same fix applies, but in a production environment, it is a requirement for us to run our SharePoint 2013 over HTTPS. This threw an additional error when configuring the App Store for production. It seemed that the SSL traffic was breaking down with an error “Unable to connect to SharePoint Appstore please retry again later.”
We double and triple checked our configuration and the only difference between proof-of-concept and production is SSL/HTTPS enabled on the SharePoint farm. After working a case with Microsoft, it turns out our issue was an untrusted root certificate. Well now, if that sounds familiar, I ran into this same type of problem with VMware Update Manager last year when new certificates were issued. Although it was a different root certificate, it was the same basic problem.
Under Microsoft’s direction, we had to import the root certificate in the following screenshot.
After importing the certificate, it resolved the issue. Windows Server 2008 includes the ability to autoupdate its trusted root certificate authorities, but this obviously doesn’t work correctly behind a proxy configuration. Microsoft recommends that you update and push the trusted root CA’s using Active Directory Group Policy in a domain environment.
There is an installer to update the root certificate authorities in disconnected environments, however, Microsoft says it is only for Windows XP – so please read on before using this on a server. Microsoft added a revision to KB931125 in January 2013 with a new warning:
The KB 931125 package that was posted to Windows Update and WSUS on December 11, 2012, was intended only for client SKUs. However, the package was also offered for server SKUs. Because some customers reported issues after they installed the package on servers, the KB 931125 updates for server SKUs were expired from Windows Update and WSUS. We recommend that you sync your WSUS server and approve the expiry.
However, it was provided to us by Microsoft support. So, mileage will vary and there is a link in KB931125 that helps to fix a problem if the update causes issues on a server.