Symptoms
SSL Certificate error when navigating to designer site after upgrade
Diagnoses
Somewhere during the install, either our STS URL value was updated, or we have an issue with the site binding not using the proper certificate for it's hostname.
Resolution
After some investigation into the current configuration, we took a look at the bindings and the following suggestions were made.
We currently have bindings set up on ports 80 and 443 for the k2 site in IIS. The SSL binding does not have a hostname configured, and as such, is accessible through https://machineName.
K2 by default, installs a self signed certificate for https://machineName, which is issued by the certificate authority built into IIS. This certificate, while valid for https://machineName, is only as good as the group of machines that trust that certificate, namely, the K2 server itself. This does not include client web browsers, and the sharepoint server, as they do not have that certificate, or the root certificate of the issuing CA, as trusted root certificates.
Our options are basically as follows:
1. Install that self signed certificate as a trusted root CA on every machine with the potential to ever access the K2 site, or the K2 site through sharepoint.
2. Replace the self signed certificate, with a cert issued by a CA that is trusted by all machines, as part of the certificates installed with the operating system itself. (Thawte, VeriSign, Godaddy, etc.)
K2 typically recommends the second approach, as it is generally the most practical. We recommend that when purchasing a certificate, a wildcard certificate, such as *.domain.com is used. This allows you to reuse the certificate for ANY site ending in the domain.com domain. For example, K2Dev.domain.com, k2Staging.domain.com, k2prod.domain.com, sharepoint.domain.com would all be valid uses for that same certificate.
There are some special concerns when it comes to app domains in sharepoint 2013, and you may not be able to use the same cert for your app domain due to some of the prepending that occurs inside that mechanism. Some more detail on that is here:
https://technet.microsoft.com/en-us/library/fp161236.aspx