No HA Servers available for Hosts configuration via HTTPS

[Nick Selpa]

I'm trying to build a XenDesktop 5.6 environment from scratch and I'm running into a peculiar issue when attempting to configure HA.

If I use HTTP, whether it's to the FQDN or the IP, it enumerates a bunch of web addresses pointing to the IP. For example:

http://myxdc.contoso.com
http://10.0.0.10 <--myxdc.contoso.com's IP (redundant listing)
http://10.0.0.11
http://10.0.0.12

I followed the directions on how to replace the self-signed SSL cert from eDocs:
http://support.citrix.com/proddocs/topic/xendesktop-rho/cds-replace-xs-cert-rho.html

Following that, our domain controller served the cert and the certificates were added successfully and confirmed working (went to the newly signed HTTPS location and verified that it's a valid certificate in the address bar).

I go back to the configuration in Desktop Studio and add the HTTPS address but I get no hypervisors to select as HA members. The listing is as follows:

https://myxdc.contoso.com

As a second attempt, when the number IP web addresses are enumerated via HTTP, I thought it might have been that it didn't like my FQDN certificates, so, I went back and resigned them as IP certificates instead. Verified the change was successful, went back to Desktop Studio and I still have no HA Servers to configure.

My creativity and Google-Fu is running thin, so I'm hoping someone here can help me with my dilemma. Thanks in advance!

[Samuel Jacob]

we were able to fix this issue. Essentially the pem had end of line markers inserted by windows, which were being read by Xenserver. Once we removed them it all worked.

Will be posting an example of this shortly and also a KB is being made.

[Nick Selpa]

Has the formal KB regarding this issue ever been created and published?

[Nick Selpa]

Wanted to add some other steps I'd taken to try and remediate this:

* Instead of signing 4 unique certificates for each XS host, I created one SAN cert for all hosts in the XS pool. Certificate was successfully applied and verified working and still HA partners did not show up.

* Step I did not take from the earlier documentation is the line edit in /etc/init.d/xapissl which wanted me to edit the PEM path to a place that did not exist on the XenServer. Looking into that eDoc's information source, the article on changing the self-signed XS cert came from a XS 3.0 document. The path that no longer exists in XS is the ssl cert path that comes with a default OpenSSL installation.

The install instruction which replaces the old PEM for xapi works fine in an earlier line without editing the PEM variable in the shell script.

[Nick Selpa]

Also, installed the SAN cert on the XDC Servers themselves. Still no luck.

[Nick Selpa]

Also tried the Add-HypHypervisorConnectionAddress Cmdlet. No dice. Get the following error:

Add-HypHypervisorConnectionAddress : The supplied connection address is invalid. Check that it exists and is part of the same pool as the connection.

+ CategoryInfo : InvalidOperation: (:) [Add-HypHypervisorConnectionAddress], InvalidOperationException
+ FullyQualifiedErrorId : Citrix.XDPowerShell.HostStatus.ConnectionAddressInvalid,Citrix.HostingUnitService.SDK.Commands.AddHypHypervisorConnectionAddressCommand

No one has ever ran into a similar issue? :(

Edited by: nselpa149 on Apr 23, 2012 9:42 AM - Added PS error

[Nick Selpa]

Tailed xensource.log on the pool master. Flipped between HTTP and HTTPS authentication via XenAPI. Only notable line that occurs on the HTTPS auth that does not appear for HTTP is the following:

[20120423T15:32:10.499Z|debug|poolMasterXS|203601 inet-RPC|host.get_server_certificate R:8ec727c40222|taskhelper] the status of R:8ec727c40222 is: success; cannot set it to `success

I can provide sanitized logs to post if it would help troubleshoot this issue.

[Nick Selpa]

--- RESOLVED ---

So the issue was resolved with Citrix Escalation. Turned out to be something regarding the certificates that were provided from a Windows CA.

NOTE: The way I signed the certfificates was via CLI using the certreq command. I did not use the certsrv signing website that can be enabled on a CA.

The certificate was opened in vi on the XS host and the certificate portion of the .pem file had carriage returns in the certificate (shown as a ^M within vi).

The symptom is your certificate is valid to all Windows systems but breaks when xapissl processes the PEM file. Running 'xe host-get-server-certificate host=<hostName>' should return a blank line. Also, it will break XD HA configurations.

Take the following steps to clean up the certificate on the XS host (this is assuming you're working with the offending certificate that's been baked into the PEM file):

* Make two copies of the PEM file, one as an 'original' copy before the edit, another for the actual editing (optional)
* Change the file permissions to 600 or 700 with chmod (i.e. chmod 700 xapi-ssl.pem.new)
* Edit the file in vi (vi xapi-ssl.pem.new)
* Run the following command within vi:
:%s/^V^M//g

The ^V^M is entered as Ctrl+V,Ctrl+M
* Save the file with :wq
* Remove the old PEM
* Copy the new PEM file with the cleaned up carriage returns with the original pem file name (in my case xapi-ssl.pem)
* Run the following command (assuming you're in /etc/xensource/ with the xapi-ssl.pem file)
install -m 0400 ./xapi-ssl.pem.new ./xapi-ssl.pem
* Restart the xapissl service

Verify that the certificate is being processed properly with the xe host-get-server-certificate command mentioned above.

Edited by: nselpa149 on May 23, 2012 5:07 PM

[Nick Selpa]

Addressed by Citrix Escalation.

[David Ross1709151782]

Did the KB article ever appear? I seem to be having the same issue?