VMware Horizon Community
gmtx
Hot Shot
Hot Shot
Jump to solution

Teradici 4.0 firmware and SAN certs

Been using a SAN cert on my conneciton servers that has about a dozen SAN entries with no problems on zero clients with 3.51 firmware, but after upgrading one of the clients to 4.0 firmware I now get a warning that the cert is not trusted, and I see the following in the zero client logs:

05/20/2012, 09:12:19> LVL:3 RC:   0        MGMT_SYS :(ui_cback): event: 43
05/20/2012, 09:12:19> LVL:1 RC:-505       X509_UTIL :x509_util_subject_alternative_name_cback: SAN buffer is full
05/20/2012, 09:12:19> LVL:1 RC:-505       X509_UTIL :x509_util_subject_alternative_name_cback: SAN buffer is full
05/20/2012, 09:12:19> LVL:1 RC:-505       X509_UTIL :x509_util_subject_alternative_name_cback: SAN buffer is full
05/20/2012, 09:12:19> LVL:1 RC:-505       X509_UTIL :x509_util_subject_alternative_name_cback: SAN buffer is full
05/20/2012, 09:12:19> LVL:1 RC:-505       X509_UTIL :x509_util_subject_alternative_name_cback: SAN buffer is full
05/20/2012, 09:12:19> LVL:1 RC:-505       X509_UTIL :x509_util_subject_alternative_name_cback: SAN buffer is full
05/20/2012, 09:12:19> LVL:1 RC:xFFFFE8E6   MGMT_SSL :ocsp_http_query: remapping error to ERR_OCSP_RESPONDER_CONNECT_FAILED
05/20/2012,  09:12:19> LVL:1 RC:xFFFFC552   MGMT_SSL  :mgmt_ssl_certificate_revocation_test:  mgmt_ssl_ocsp_validate_certificate() failed: Unknown Err
05/20/2012,  09:12:19> LVL:2 RC:-500     MGMT_VDMCSI :Warn on View Default mode:  VCS certificate meets WoVD no trusted root exception

I have a ticket open with Teradici (for nine days) and still no response from them, other than a ticket status of "Work in Progress". Anyone else seeing any issues with 4.0 firmware and certs with multiple SAN entries?

Thanks,


Geoff

Reply
0 Kudos
37 Replies
crmk
Contributor
Contributor
Jump to solution

We're unable to import the GoDaddy root certificate on the Zero Clients.  We are getting the following errors in the event log:

06/15/2012, 15:58:11> LVL:2 RC:   0    MGMT_FW_PROV :Download start
06/15/2012, 15:58:11> LVL:2 RC:   0         MGMT_UI :Web interface started new upload (handle = 6)
06/15/2012, 15:58:11> LVL:1 RC:-510       X509_UTIL :get_subject() failed!
06/15/2012, 15:58:11> LVL:1 RC:-510       MGMT_CERT :ERROR: tera_x509_util_get_tree failed for certificate 1
06/15/2012, 15:58:11> LVL:1 RC:-510       MGMT_CERT :ERROR: Invalid certificate uploaded
06/15/2012, 15:58:11> LVL:2 RC:   0         MGMT_UI :Web interface finished upload (handle = 6)
06/15/2012, 15:58:11> LVL:2 RC:   0    MGMT_FW_PROV :Download incomplete

It looks like it might be related to the fact that the GoDaddy Root Certificate does not have a CN in the Subject Name field.  It just has :

OU = Go Daddy Class 2 Certification Authority
O = The Go Daddy Group, Inc.
C = US

Any help would be appreciated, for right now we have to have our devices in Unsecured state.

Thanks,

Chris

Reply
0 Kudos
lmhealthcare
Contributor
Contributor
Jump to solution

Open a case with Teradici. They have a RC for the next firmware with a fix for the Godaddy issue. My setup is working fine with the new firmware.

-Ron Davis

Reply
0 Kudos
crmk
Contributor
Contributor
Jump to solution

Good to hear! I had already opened a ticket and then started searching the forums looking for a fix.  I guess once they get to my ticket I'll be all set.

Thanks!

Reply
0 Kudos
Stu_Robinson
Enthusiast
Enthusiast
Jump to solution

Hi Crmk,

We have found an issue with some GoDaddy certificates where they are missing expected information in the cert.  We have worked around this in a firmware patch that we can provide to customers.  However, we want to verify that the patch will resolve the problem before providing it. Crmk - can you provide the last 4 digits of your ticket number and I'll check on the progress.

For  others having issues where the certificate upload to the zero client  fails, please open a ticket on the Teradici support site (techsupport.teradici.com).

There are many other issues that we are seeing including intermediate certificates being uploaded to the zero clients instead of the root - these will upload without error, but you will get warnings/error messages when trying to connect to the View Connection Server.  We have added new KB's to cover different issues with their VCS certificate, or finding the right certificate to upload to the zero client - see KB 1092 on the Teradici support site .

Ron - thanks for jumping in!

Stu

Director of Systems Engineering,

Teradici

Reply
0 Kudos
blindoff
Contributor
Contributor
Jump to solution

Hi, Is ther any new firmware uppdate yet to resolve the Go Daddy Root cert issue.

Reply
0 Kudos
Stu_Robinson
Enthusiast
Enthusiast
Jump to solution

Hi Blindoff,

If you are having an issue uploading a certificate to a PCoIP zero client, please open a ticket with Teradici at techsupport.teradici.com. There is a firmware patch build we can provide once we verify the issue.  The workaround for the GoDaddy certificate missing information will be in an upcoming firmware release.

Thanks,
Stu

Director of Systems Engineering

Reply
0 Kudos
ITguy201110141
Contributor
Contributor
Jump to solution

This does not work on setups that has 2 or more Connection Servers using DNS round robin for load balancing.
I have ConnectionServer1 & ConnectionServer2.

I also have an FQDN: connection.domain.com that is pointing to the 2 servers.

We use the FQDN to connect to our VM.
When trying to connect I get an error that the device cannot see the name "connection.domain.com" inside the certificate information.

Of course it's not there because the certificates contains the information Certificate Issued to: ConnectionServer1 & ConnectionServer2.

We do not have this problem on other Zero clients.

Reply
0 Kudos
Stu_Robinson
Enthusiast
Enthusiast
Jump to solution

Hi ITGUY2011...,

Can you please open a ticket at Techsupport.teradici.com so that we can look at the details and help you resolve the issue.

One point to note is that if you have ConnectionServer1.domain.com and ConnectionServer2.domain.com then you need to include both in the certificate, one as the Common Name and the other as a Subject Alternative Name (SAN).   Also, while recent security guidelines do not recommend multiple Common Names, if for some reason you require multiple Common Names in a certificate, include those domains as Server Alternative Names as well (zero clients parse one common name per recent security recommendations.  By having both as CNs and SANs the zero client will detect both domain names being used.

If you open a ticket, I'll have my team dig into this with you.

Regards,
Stu

Director of Systems Engineering

Teradici

Reply
0 Kudos
ITguy201110141
Contributor
Contributor
Jump to solution

Hi Stu!

The certificate of the 2 connection servers are already uploaded to the device.

The problem is, the P20 wants me to connect to either ConnectionServer1.domain.com or ConnectionServer2.domain.com. When I use one of these names as my Connection server it accepts the certificate.

However, this is not how we connect to our Connection servers. We use another FQDN/DNS name which is for example ConnectionServer.domain.com.

This points to either one of the Connection servers via DNS round robin. When we connect in this way, the device is generating an error that it cannot match the FQDN aka Connection Server name to the details inside the certificate. Because the certificates uploaded only contains the names ConnectionServer1.domain.com or ConnectionServer2.domain.com. There's no ConnectionServer.domain.com.

Thanks!

Reply
0 Kudos
lmhealthcare
Contributor
Contributor
Jump to solution

Jericho, you need to use a certificate with SAN, subject alternative names. One cert will have connectionserver, connectionserver1, and connectionserver2 in it.

I would also recommend using a load balancer instead of DNS round robin. It will detect outages and not route traffic to a bad node. Citrix Netscaler has a low bandwidth (5 megs) virtual appliance you could use free. For view you can set it up to only use the load balancer for connection setup, with the actual connection going direct.

-Ron Davis

Reply
0 Kudos
iforbes
Hot Shot
Hot Shot
Jump to solution

We are having exactly the same issue as you. We're using DigiCert certs (SAN certificate). All other end-point clients work fine, other than the WyseP25's (firmware version 4.1.X, View 5.2). We have uploaded both the DigiCert intermediate root CA and the SAN cert (both in PEM format). The error we're still receiving is Failed to connect. The server provided a certificate that is invalid. See below for details: The supplied certificate is not rooted in the device's local certificate store.

The certs (both) are 100% in the device local certificate store (via the PCoIP Management Console). I've attached a screen shot of the certificate store and log file. Any help is appreciated.

Reply
0 Kudos
Stu_Robinson
Enthusiast
Enthusiast
Jump to solution

Hi iForbes,

My guess is that you need the trusted SSL root certificate used in the VCS (not just the intermediate root) installed in the zero client.  Typically the next step is to use a tool to inspect the cert chain presented by the VCS and see what trusted root cert is being used.  There are on-line tools for cert chain inspection - we have links on the Teradici support site here: http://techsupport.teradici.com/ics/support/default.asp?deptID=15164&task=knowledge&questionID=1087

Alternatively you could open a ticket with the Teradici support team at techsupport.teradici.com and we can help work through this.

Cheers,

Stu

Stuart Robinson

Director of Systems Engineering

Teradici

Reply
0 Kudos
iforbes
Hot Shot
Hot Shot
Jump to solution

Hi Stuart. Thanks for the reply. You'll notice in the pic I supplied that 2 certs have been uploaded to the device's certificate store. We received 2 certs from DigiCert. The SAN cert and the DigiCert root cert. We might have to open a ticket with Teradici.

Thanks

Reply
0 Kudos
gmtx
Hot Shot
Hot Shot
Jump to solution

Here's what my store looks like. Check to be sure you have the intermediate and root certs loaded.

certs.jpg

Geoff

Reply
0 Kudos
iforbes
Hot Shot
Hot Shot
Jump to solution

Hmmm. I just used the certificate checker you listed in the link. It states that the 2 certificates I listed in my pic are the Server cert and the Chain cert (Intermediate?). I don't have the root cert (DigiCert Global Root CA). How do I get access to the DigiCert root certificate? I suppose that certificate also needs to be uploaded?

Thanks

Reply
0 Kudos
iforbes
Hot Shot
Hot Shot
Jump to solution

Hi Geof. Looks like I'm missing the root certificate. When we received the cert request back from DigiCert, we only received 2 certs (server cert, chain cert). How do I get the root cert?

Reply
0 Kudos
gmtx
Hot Shot
Hot Shot
Jump to solution

If you download the full cert package as shown below from Digicert you'll get a zip file with your cert plus the intermediate and root certs:

pastedImage_0.png

Reply
0 Kudos
iforbes
Hot Shot
Hot Shot
Jump to solution

Thanks!

Reply
0 Kudos