VMware Horizon Community
nzorn
Expert
Expert

Connection Server's certificate is not trusted

This morning around 4:13am all of our View Connection servers lost communication with Composer, and possibly vCenter. When logging into the View Admin page I noticed the Connection Servers and View Composer Server had a Red status instead of Green.

I clicked on the View Composer Server Details and it displayed the following:

Untrusted Certificate (Verify)
For self-signed certificate, click Verify. If the View Composer Server certificate can be validated, make sure that the trusted store on the View Composer Server system has the correct Certificate Authorities.
SSL Certificate: Invalid

Once I clicked Verify the status changed to Green.

I clicked on the Connection Server Details and it displayed the following:
Status: Server's certificate is not trusted
SSL Certificate: Invalid

Status is still Red on the Connection Server, but it does not appear to be affecting any functionality. I opened ticket #13335675306 with VMware, and they suggested we replace the certificates and/or try disabling certificate revocation checking. They also informed me that another customer had the same issue over this last weekend, and that ticket is still open.

To disable certificate revocation checking create a string (REG_SZ) value CertificateRevocationCheckType, under HKLM\Software\VMware, Inc.\VMware VDM\Security, and set this value to 1. More information can be found here: http://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.installation.doc%2FGUID-D1190AE8-1...

Has anyone else seen this issue where certificates randomly stop being trusted?  I am going to try rebooting my Connection servers tonight and see what happens.

9 Replies
nzorn
Expert
Expert

A reboot did not fix the issue, but disabling the certificate revocation checking turned the status to green.

[HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Security]

"CertificateRevocationCheckType"="1"

I did not have to reboot or restart any services after applying this registry entry.

Linjo
Leadership
Leadership

Can the Connection-broker reach the CRL-url?

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
nzorn
Expert
Expert

Not sure exactly what you mean...how would I go about testing that?

Reply
0 Kudos
Linjo
Leadership
Leadership

The easiest would be to put the CRL in a browser from the View connection server and try to see if it can reach it.

// Linjo

Best regards, Linjo Please follow me on twitter: @viewgeek If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
DaveatWin
Contributor
Contributor

Yep,  got the same error this morning,  out of the blue it seems.   

I did a fresh install of  all the Horizon View pieces last month and all were set up with CA signed certs and I used the certificate automation tool to make sure everything was minted and trusted.  Everything was green until this morning.     It appears I have the exact same symptoms that you do.   I verified the Composer and Vcenter server and they went green.   Working now to turn the View server green again.  Thanks for the post.

Reply
0 Kudos
nzorn
Expert
Expert

I have not be able to confirm what caused my problem though.  I ended up powering on my ROOT CA, and then I removed the registry key I listed above and they are still green.

Does your ROOTCA happen to be offline?  If so try bringing it online.

Reply
0 Kudos
DaveatWin
Contributor
Contributor

Our root CA stays online.   I created that string on the View server and it is good to go.   Thanks! 

I don't really like disabling CRL checking and would like to figure out the cause too but I don't have the time to mess with it.  I just need this stuff to work so I can support my users and not have to fettle with the Infrastructure at random and inconvenient times!    Post was a lifesaver for me and saved me a call to Vmware, thanks again!

Reply
0 Kudos
nzorn
Expert
Expert

Very interesting, please post if you find anything else out.

Thanks!

Reply
0 Kudos
rooster147
Contributor
Contributor

Has anybody gotten to the bottom of this yet? I had the same thing happen this weekend in my env. All the certs became untrusted, once I verified them in the Admin console they started working again but the connection brokers are still red with an "invalid cert" error. Nothing had changed before this outage and these certs have been working for over 8 months. Just strange out of the blue this happened.

Reply
0 Kudos