9 Replies Latest reply on Jan 13, 2014 9:15 AM by rooster147

Connection Server's certificate is not trusted

nzorn Jun 12, 2013 11:03 AM

This morning around 4:13am all of our View Connection servers lost communication with Composer, and possibly vCenter. When logging into the View Admin page I noticed the Connection Servers and View Composer Server had a Red status instead of Green.

I clicked on the View Composer Server Details and it displayed the following:

Untrusted Certificate (Verify)
For self-signed certificate, click Verify. If the View Composer Server certificate can be validated, make sure that the trusted store on the View Composer Server system has the correct Certificate Authorities.
SSL Certificate: Invalid

Once I clicked Verify the status changed to Green.

I clicked on the Connection Server Details and it displayed the following:
Status: Server's certificate is not trusted
SSL Certificate: Invalid

Status is still Red on the Connection Server, but it does not appear to be affecting any functionality. I opened ticket #13335675306 with VMware, and they suggested we replace the certificates and/or try disabling certificate revocation checking. They also informed me that another customer had the same issue over this last weekend, and that ticket is still open.

To disable certificate revocation checking create a string (REG_SZ) value CertificateRevocationCheckType, under HKLM\Software\VMware, Inc.\VMware VDM\Security, and set this value to 1. More information can be found here: http://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-D1190AE8-1677-4637-9345-BEE0F39507DF.html

Has anyone else seen this issue where certificates randomly stop being trusted? I am going to try rebooting my Connection servers tonight and see what happens.

1. Re: Connection Server's certificate is not trusted

nzorn Jun 12, 2013 3:30 PM (in response to nzorn)

A reboot did not fix the issue, but disabling the certificate revocation checking turned the status to green.

[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Security]
"CertificateRevocationCheckType"="1"

I did not have to reboot or restart any services after applying this registry entry.
Like Show 2 Likes(2)

Actions
2. Re: Connection Server's certificate is not trusted

Linjo Jun 13, 2013 1:45 AM (in response to nzorn)

Can the Connection-broker reach the CRL-url?
Like Show 0 Likes(0)

Actions
3. Re: Connection Server's certificate is not trusted

nzorn Jun 13, 2013 5:59 AM (in response to Linjo)

Not sure exactly what you mean...how would I go about testing that?
Like Show 0 Likes(0)

Actions
4. Re: Connection Server's certificate is not trusted

Linjo Jun 13, 2013 9:56 AM (in response to nzorn)

The easiest would be to put the CRL in a browser from the View connection server and try to see if it can reach it.

// Linjo
Like Show 0 Likes(0)

Actions
5. Re: Connection Server's certificate is not trusted

DaveatWin Aug 1, 2013 8:49 AM (in response to nzorn)

Yep, got the same error this morning, out of the blue it seems.

I did a fresh install of all the Horizon View pieces last month and all were set up with CA signed certs and I used the certificate automation tool to make sure everything was minted and trusted. Everything was green until this morning. It appears I have the exact same symptoms that you do. I verified the Composer and Vcenter server and they went green. Working now to turn the View server green again. Thanks for the post.
Like Show 0 Likes(0)

Actions
6. Re: Connection Server's certificate is not trusted

nzorn Aug 1, 2013 8:52 AM (in response to DaveatWin)

I have not be able to confirm what caused my problem though. I ended up powering on my ROOT CA, and then I removed the registry key I listed above and they are still green.

Does your ROOTCA happen to be offline? If so try bringing it online.
Like Show 0 Likes(0)

Actions
7. Re: Connection Server's certificate is not trusted

DaveatWin Aug 1, 2013 9:09 AM (in response to nzorn)

Our root CA stays online. I created that string on the View server and it is good to go. Thanks!

I don't really like disabling CRL checking and would like to figure out the cause too but I don't have the time to mess with it. I just need this stuff to work so I can support my users and not have to fettle with the Infrastructure at random and inconvenient times! Post was a lifesaver for me and saved me a call to Vmware, thanks again!
Like Show 0 Likes(0)

Actions
8. Re: Connection Server's certificate is not trusted

nzorn Aug 1, 2013 9:11 AM (in response to DaveatWin)

Very interesting, please post if you find anything else out.

Thanks!
Like Show 0 Likes(0)

Actions
9. Re: Connection Server's certificate is not trusted

rooster147 Jan 13, 2014 9:15 AM (in response to nzorn)

Has anybody gotten to the bottom of this yet? I had the same thing happen this weekend in my env. All the certs became untrusted, once I verified them in the Admin console they started working again but the connection brokers are still red with an "invalid cert" error. Nothing had changed before this outage and these certs have been working for over 8 months. Just strange out of the blue this happened.
Like Show 0 Likes(0)

Actions