VMware Horizon Community
Hdeuxo
Contributor
Contributor
‎01-17-2016 01:14 PM
Jump to solution

Issue with certificate on View Composer

Hello,

I will try to explain my issue as well as I can.

I have upgraded my server view composer from 5.2 to 6.2. And I would like to replace the default certificate by my own generate by my internal CA (on our DC).

I have created a requet.inf found here : VMware KB: Using Microsoft Certreq to generate signed SSL certificates in VMware Horizon View

And replace the CN, OU, O, etc by my information. Here the content :

;----------------- request.inf -----------------
[Version]

Signature= $Windows NT$

[NewRequest]

Subject = "CN=View_Server_FQDN, OU=Organizational_Unit_Name, O=Organization_Name, L=City_Name, S=State_Name, C=Country_Name" ; replace attributes in this line using example below
KeySpec = 1
KeyLength = 2048
; Can be 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
FriendlyName = vdm
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = Microsoft RSA SChannel Cryptographic Provider
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

[RequestAttributes]

; SAN= dns=FQDN_you_require&dns=other_FQDN_you_require
;-----------------------------------------------


After I generated the CSR with the following command : certreq -new request.inf certreq.txt


After I generated the certificate with our CA in DER64.


In the mmc on the server composer I import the certificate. Always go right.


And the last thing is to replace the default certificate with the SVI command : SviConfig ReplaceCertificate


It is done. I restart the Composer server go to the dashboard to see the flag. But I got a redflag on the Composer with the following message : server certificate does not match the url


I searched this message on Google and the error appear to be in the "CN", I verified the synthax and the name of the server (FQDN) are correctly write. I also see that we can use SAN (subject alternative Name).


But I always got the same error.



Someone have an idea about that ?


Best regards,

0 Kudos
1 Solution

Accepted Solutions
Gaurav_Baghla
VMware Employee
VMware Employee
‎01-18-2016 09:57 AM
Jump to solution

Apologies that was getting auto saved please ignore the previous comment.Alright now back to square on Composer certificates does not work as expected. Please share the outcome from below step

If you use sviconfig replace utility to revert to default certs does the certificate error go away ?

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14

View solution in original post

0 Kudos
27 Replies
Gaurav_Baghla
VMware Employee
VMware Employee
‎01-18-2016 12:01 AM
Jump to solution

Can you attach the latest debug  file from composer logs  after a restart of the composer service

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos
Hdeuxo
Contributor
Contributor
‎01-18-2016 12:22 AM
Jump to solution

Hello,

Thank you for your response.

Here the log after a restart of the composer.

Best regards,

vminst.log_20160117_190621_Failed.log.zip
0 Kudos
Hdeuxo
Contributor
Contributor
‎01-18-2016 12:28 AM
Jump to solution

For information, I see in the log the following message :

Unable to retrieve at least one of the certificates.

Have a nice day.

0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee
‎01-18-2016 12:36 AM
Jump to solution

That is the installation logs . Do you have installaiton issues. If not attach the latest file from C:\ProgramData\VMware\View Composer\Logs\

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos
Hdeuxo
Contributor
Contributor
‎01-18-2016 02:34 AM
Jump to solution

Hello,

Sorry, I made a mistake. Here the two last file from the right directory (composer/logs) :

Thanks for your help,

vmware-sviconfig.log.zip
vmware-viewcomposer.log.zip
0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee
‎01-18-2016 03:08 AM
Jump to solution

It is not getting replaced Still pointing to the old certificates

VMware View 5.2 Documentation Library

Run the command for replace certificates and try the correct thumbprint followed by a restart of the services

Here is the snippet

SimConfig.Operation.ReplaceCertificateOperation - Try to replace with the same certificate. Thumbprint: B3E3E72E213F6EC7420E579057F49CF4BFF77FC4

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos
Hdeuxo
Contributor
Contributor
‎01-18-2016 03:19 AM
Jump to solution

It is done.

Here the new log file after the replace.

Best regards,

vmware-viewcomposer-audit.log.zip
vmware-viewcomposer.log.zip
0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee
‎01-18-2016 03:26 AM
Jump to solution

Do you still have this problem. I looks good. I can check again if you still have the problem

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos
Hdeuxo
Contributor
Contributor
‎01-18-2016 03:36 AM
Jump to solution

Yes the error is the same in the dashboard. "The server certificate does not match the URL".

Best regards,

0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee
‎01-18-2016 03:48 AM
Jump to solution

Can you please attach a screenshot of the dashboard you can use snipping tool and Black out the first portion as well

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos
Hdeuxo
Contributor
Contributor
‎01-18-2016 03:58 AM
Jump to solution

Here the screenshot.

8 KB
0 Kudos
Hdeuxo
Contributor
Contributor
‎01-18-2016 04:03 AM
Jump to solution

And the error message.

8 KB
0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee
‎01-18-2016 04:41 AM
Jump to solution

In Configuration Edit VCenter and Composer  Re-enter the password .

Take the log file from both connection server and Composer please

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos
Hdeuxo
Contributor
Contributor
‎01-18-2016 05:34 AM
Jump to solution

Hello,

I'm unable to re enter the password because I got the certificate erro who block the connection :

Le certificat configuré sur View Composer Server n'est pas valide, il bloque la communication avec ce serveur. Pour reprendre la communication, remplacez le certificat par un certificat valide signé par une autorité de certification. Vous pouvez également accepter l'empreinte numérique du certificat en cliquant sur Vérifier dans le tableau de bord de View Administrator.

vmware-viewcomposer.log.zip
vmware-sviconfig.log.zip
vmware-viewcomposer-audit.log.zip
0 Kudos
Hdeuxo
Contributor
Contributor
‎01-18-2016 05:36 AM
Jump to solution

Here the log for the connection server.

debug-2016-01-18-065248.txt.zip
log-2016-01-18.txt.zip
0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee
‎01-18-2016 06:01 AM
Jump to solution

Upgrade your connection server it is still at 5.2

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee
‎01-18-2016 06:02 AM
Jump to solution

Keep this Handy http://pubs.vmware.com/horizon-62-view/topic/com.vmware.ICbase/PDF/view-62-upgrades.pdf

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos
Hdeuxo
Contributor
Contributor
‎01-18-2016 06:10 AM
Jump to solution

Thank you for your feedback.

I will plan the upgrade for today.

The client will be able to reconnect with the view agent in 6.0 and 5.2 ?

Best regards,

0 Kudos
Gaurav_Baghla
VMware Employee
VMware Employee
‎01-18-2016 07:56 AM
Jump to solution

That should not be a problem during upgrade.

Correct me IF I am wrong Composer is already at 6.2 and View is at 5.2?

Regards Gaurav Baghla Opinions are my own and not the views of my employer. https://twitter.com/garry_14
0 Kudos