5 Replies Latest reply on Mar 15, 2017 6:08 AM by Gezmonder

    Access Point Thumprint Issue

    Gezmonder Novice

      Hello,

       

      I've done a couple of Access Point 2.8 deployments now but am banging my head on a fundmental issue here.

       

      I am deploying via the 2.8 Web GUI which is something I've used successfully in the past. I cannot get the Access Point in the DMZ to communicate with a Connection Server on the Back-end.

       

      Ports are open and I to help troubleshooting I have deployed a Windows VM in the DMZ alongside it with the same access rules. So I can browse to the Connection servers from the DMZ Windows VM but if I go via the Access Point it doesn't proxy the connection, it just hangs and doesn't do anything at all.

       

      Checking through the esmanager.log I can see lots of entries like this:

       

      03/13 13:03:38,044[nioEventLoopGroup-7-1]ERROR view.ViewEdgeService [onFailure: 158][][] : unable to query Horizon Broker: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

      03/13 13:03:38,044[nioEventLoopGroup-7-1]ERROR utils.SyslogManager [onFailure: 159][][] : HORIZON_SERVICE:CONNECTION_BROKEN:unable to query Horizon Broker: javax.net.ssl.SSLHandshakeException: General SSLEngine problem

       

      3/13 13:03:41,923[nioEventLoopGroup-7-1]ERROR utils.SyslogManager [checkServerTrusted: 197][][] : SSL:THUMB_PRINT_MISMATCH:Could not find a trusted cert thumbprint that matches  any of the server certificates : CN=mydesktop.corp.local

       

      03/13 13:03:41,923[nioEventLoopGroup-7-1]ERROR ssl.HttpsProxySslEngineFactory [checkServerTrusted: 194][][] : Could not find a trusted cert thumbprint that matches  any of the server certificates : CN=CA-SUB01, DC=corp, DC=local

       

      03/13 13:03:41,924[nioEventLoopGroup-7-1]ERROR view.ViewEdgeService [onFailure: 487][][] : javax.net.ssl.SSLHandshakeException: General SSLEngine problem

       

       

      Now I'm absolutely 100% sure that I have copied and pasted the thumbprint from the connection servers vdm SAN certificate into the GUI using the sha1=00 f6 0h fd blah blah blah format I have double and triple checked it about fifty times now.

       

      Is there a scenario where if also needs the root and intermediate adding in too? (I have tried this as well using comma separation).

        • 1. Re: Access Point Thumprint Issue
          Gezmonder Novice

          Also, can we please have a separate forum section for Access Point?

          • 2. Re: Access Point Thumprint Issue
            markbenson Master
            VMware Employees

            Your analysis looks good, and you seem to be doing the right thing but this error is suggesting that the thumbprint you are entering in the Access Point Admin UI is not exactly the same as the thumbprint of the certificate from Connection Server referenced in the error message.

             

            I've seen this before where sometimes an additional (possibly invisible) character is accidentally pasted in to the GUI or other reasons why there is a mismatch. Perhaps some screenshots would help.

             

            I've attached some screenshots of my environment which works. This shows the certificate viewer looking at the Horizon Connection Server certificate thumbprint and shows the corresponding entry in the Access Point Admin UI. Note that you can't actually see all the characters in the admin UI because the field width is limited, but they are all there. Check that you are doing the same thing. Also try pasting the syntax you use for this field in the Admin UI into notepad and then moving the cursor one character at a time through the whole string to see if it is exactly as you expect. Sometimes the cursor won't move to the right when going past the first character after the = character (if that makes sense).

            • 3. Re: Access Point Thumprint Issue
              Gezmonder Novice

              Thanks Mark, your method of looking closely at the cursor whilst arrowing through to locate the blank characters worked - The appliance itself is still not however. The Errors relating to the certificate thumbprints have now gone from the log, I still have SSL handshake errors though, scanning through the log I think it looks like this is the culprit, which is a new error:

               

              Certificate does not conform to algorithm contraints

               

              The Certificate is using a sha256 algorithm with a public key length of RSA 2048, but I notice a mismatch in the Signature algorithm between the SAN cert, Intermediate and Root from the internal CA. Could this be the problem? RSASSA-PSS looks like an old algorithm, possbily something not supported by the Access Point? It's been working fine for nearly six months for internal use on the Connection servers.

               

              CertChain.png

              • 4. Re: Access Point Thumprint Issue
                markbenson Master
                VMware Employees

                Thanks for your detailed and accurate information. Yes, so your first problem is solved in that there was one or more invalid characters in the thumbprint value you pasted in to the admin GUI. I know the PowerShell method of deployment resolves that automatically so we should really get the admin UI to do the same. See Using PowerShell to Deploy VMware Unified Access Gateway  - Anyway looks like that first issue is answered.

                 

                The second issue (Certificate does not conform to algorithm contraints) is caused by the use of an incompatible signature algorithm for TLS. It is likely that TLS/Java doesn't support RSASSA-PSS as a signature algorithm.

                 

                RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2 states:

                 

                Note that there are certificates that use algorithms and/or algorithm

                  combinations that cannot be currently used with TLS. For example, a

                  certificate with RSASSA-PSS signature key (id-RSASSA-PSS OID in

                  SubjectPublicKeyInfo) cannot be used because TLS defines no

                  corresponding signature algorithm.

                 

                Is the certificate you show from the Connection Server or is it the certificate you have installed on Access Point (or both)?

                 

                Is it possible for you to use an SSL server certificate with sha256RSA instead?

                • 5. Re: Access Point Thumprint Issue
                  Gezmonder Novice

                  In order to quickly get round this I thought I'd just try using the existing template I used last time to see how it was returned. When it was issued it came back with a SHA256RSA algorithm so I really don’t know where the original RSASSA-PSS came from!

                   

                  Using this new certificate has resolved the issue, many thanks helping me to work through this.