VMware Horizon Community
btkrausen
Enthusiast
Enthusiast

Connection Server Certificate Invalid

I've replaced the default certificate with one issued from my internal CA, however, View Admin still reports that the certification is invalid.

Error message states: Server's certificate is not trusted.

SSL Certificate: Invalid

When connecting to View Admin on either server the browser shows that the cert is valid but View does not. The cert has multiple SAN including the server name and the FQDN. The certificate's friendly name is vdm and I've restarted the Connection services (before you ask Smiley Happy)

Capture.JPG

vExpert 2014 & 2015, VCAP-DCA, VCP5-DCV, VCP5-DT, VCP4, VCP3, CCNA, MCSA, MCTS, MCDST, A+, Net+, Sec+
10 Replies
I3vmware
Enthusiast
Enthusiast

Can you check to be sure you have the full certificate and chain in the Personal store of the computer account?  When you got your cert it probably came with several intermediates etc.. those need to be in that store also.  Also make sure the MMC you used is pointed to the "Computer Account" and not "My user Account"

11-21-2013 2-19-50 PM.png11-21-2013 2-54-31 PM.png

Reply
0 Kudos
gmtx
Hot Shot
Hot Shot

One other thing - and I have no idea why this happens, is the difference between importing a cert using the MMC import functionality and launching the import by double-clicking on the cert file. The behavior looks the same, and I spent an hour on the phone with VMware support not too long ago trying to figure out why my cert wasn't working, and it turned out to be just that - I was double-clicking on the cert file and doing the import into the cert store instead of doing an "All Tasks/Import" from the MMC. Once we did it the "right" way (importing using All Tasks) it worked. I have no idea what's different, but something.

Geoff

Reply
0 Kudos
btkrausen
Enthusiast
Enthusiast

Thanks for the reply. All the servers are connected to the same domain and the cert is issued from the internal CA. By default it'll get all the intermediates. To be sure I double checked and they were all there. Smiley Happy

Like I said above, the odd thing is that a web browser accepts the certificate when hitting View Admin, the View client accepts it if I go straight to the connection server (bypassing the load balancer) but View Administrator doesn't like it.

vExpert 2014 & 2015, VCAP-DCA, VCP5-DCV, VCP5-DT, VCP4, VCP3, CCNA, MCSA, MCTS, MCDST, A+, Net+, Sec+
Reply
0 Kudos
I3vmware
Enthusiast
Enthusiast

I think the double click import wizard does it only for the user account, that is why I like to do MMC->add certificates snapin and do it manually.  I just know it's "done right" for sure that way.  When you import into the local user store the full chain doesn't apply to the whole machine account which is necessary for services etc.. to see the full cert chain.

Reply
0 Kudos
gmtx
Hot Shot
Hot Shot

You're probably right about the chain getting messed up, but what's odd is you can check the cert once it's imported and everything looks good. The chain verifies, the private key is there, it all looks good. It just doesn't work with View. Smiley Sad

Reply
0 Kudos
btkrausen
Enthusiast
Enthusiast

The cert was definitely under the Computer Account. For the fun of it, I deleted it out and imported using the Import under MMC. Restarted Connection service but nothing seems to have changed.

vExpert 2014 & 2015, VCAP-DCA, VCP5-DCV, VCP5-DT, VCP4, VCP3, CCNA, MCSA, MCTS, MCDST, A+, Net+, Sec+
Reply
0 Kudos
I3vmware
Enthusiast
Enthusiast

I missed the parts about it being only the view administrator, and that there is a load balancer in there.  The SANs for the certs might be a place to check also since the name is getting bounced around some.  Is it possible to request/use a wildcard cert instead of a SAN cert?

Edit - Also can you check to be sure you are using the FQDN of the server in the view connection server settings?

Reply
0 Kudos
btkrausen
Enthusiast
Enthusiast

I do have the SAN of the server netbios name, FQDN, and even the DNS name which points to the VIP of the load balancer. For what it's worth, we're running connection servers on port 80 and offloading the Verisign SSL on the front end. There are no security servers involved with this as it's not exposed to the internet.

VMware support gave me a KB article with a reg hack which tells View not to check the validity of the cert but I can't accept that as the answer.

vExpert 2014 & 2015, VCAP-DCA, VCP5-DCV, VCP5-DT, VCP4, VCP3, CCNA, MCSA, MCTS, MCDST, A+, Net+, Sec+
Reply
0 Kudos
I3vmware
Enthusiast
Enthusiast

Hey can you share that KB article #?  That can come in useful for labs and testing.

It would be nice if they had a tool to show you where that chain breaks like MS does.  In the connection servers the log will give some better detail though.  It's in Program Files\VMware\VDM\logs on the connection server.

Reply
0 Kudos
btkrausen
Enthusiast
Enthusiast

This is the article that VMware support gave me: 2000063

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2000063&sl...

vExpert 2014 & 2015, VCAP-DCA, VCP5-DCV, VCP5-DT, VCP4, VCP3, CCNA, MCSA, MCTS, MCDST, A+, Net+, Sec+