Jump to content
Welcome to our new Citrix community!
  • 1

Cannont connect to vcenter server due to a certificate error


Simon Guiot

Question

Hi guys,

I'm trying to link my current hypervisor VMware Vsphere (6.0) with my Citrix Studio (XenDesktop 7.7) during the site creation. And after loading few seconds, this error appears : "Cannot connect to vcenter server due to a certificate error"

 

I have already tried a lot of solutions proposed by the Citrix website as take the CA certificate of my vcenter and import it in "...Trusted certificates..." thanks to mmc.exe. I have also tried to download the certificate (view certificate => copy to files => import it to Xendesktop machine) by connecting to the SSO web interface with IE. I put the CA certificate in Certificates(Local Computer) > "Trusted Root Certification Authorities" > Certificates . Both didn't work.

Help would be very appreciated.

 

Thanks,

 

Simon 

Link to comment

17 answers to this question

Recommended Posts

  • 5

Yesterday I spend the whole day Troubleshooting this issue for one of our customers who updated his vCenter Server incl. Certificate.

 

We followed all steps described here: https://support.citrix.com/article/CTX224551

 

After 8 hours of Troubleshooting i got connected to an escalation engineer who told me that the Certificate Thumbprint has to be written in Capital Letters.

 

Wrong Example:

Set-Item -LiteralPath "XDHyp:\Connections\EsxLab" -username $cred.username -securepassword $cred.password -sslthumbprint "02faf3e291435468607857694df5e45b68851868" -hypervisorAddress https://vcenter.example.com

 

Correct Example:

Set-Item -LiteralPath "XDHyp:\Connections\EsxLab" -username $cred.username -securepassword $cred.password -sslthumbprint "02FAF3E291435468607857694DF5E45B68851868" -hypervisorAddress https://vcenter.example.com

 

After using the above command the certificate error was gone!!! Thanks Citrix for having 8 hours of Troubleshooting fun :10_wink:

 

By the way, if you are logged in as XenDesktop Studio Administrator you can run the powershell without username and Password, like this:

Set-Item -LiteralPath "XDHyp:\Connections\EsxLab" -sslthumbprint "02FAF3E291435468607857694DF5E45B68851868" -hypervisorAddress https://vcenter.example.com

 

Backgroud Informations:

For me it Looks like this is only relevant for longer existing Hypervisorconnections, like you are using this Connections since XD7.6 for example and have updated to 7.xx. New Hypervisor Connections are not having/using a thumbprint. Maybe because there have been those issues in the past.

 

If you want to create a new Hypervisorconnection and move the existing machines to that new Hypervisorconnection you can take a look here: https://discussions.citrix.com/topic/393647-change-existing-hypervisorconnection-move-machines-to-new-hypervisorconnection/ 

 

Hope this helps!

 

Regards

 

Dennis

 

  • Like 5
Link to comment
  • 2

One other possible reason for Cannot connect to the vCenter server due to a certificate error...(apart from the SSLTHUMBPRINT case sensitivity)

 

https://discussions.citrix.com/topic/395579-missing-registration-events-in-studio-console_with-fault-state-failed-to-start-power-state-off/page/2/

 

Its worth checking the Certificate thumbprint of the Certificate imported in Delivery controller with the one written to Database (Site Database, Table name : HypervisorConnectionSSLThumbprint). In my case it was weird that out of 4 VMWare Hyp Hosting connection i was able to see only 2 entries in the Tables for the Hyp Cpnnection (Esxi 5.5) but missing other 2 entries for 2 other Hyp Hosting connection (VMware Esxi 6.0/6.5)

 

This was identified when we did a Test connection against Hosting Connection in Studio console. test came out successfull, but DC was not able to connect to VC due to cert error

~~~~

Cannot connect to the vCenter server due to a certificate error. Make sure that the appropriate certificates are installed on the VCenter server, and install appropriate certificates on every controller in the site

~~~~

 

But i have the right certificates in all the DCs and in the right stores and they are trusted. Got this info from Carl's blog post and checked the (https://www.carlstalhood.com/delivery-controller-cr-and-licensing/#vcenter  - Hosting Resources Section, Point no 9) Cert thumprint in DB, surprisingly i was missing the hosting connection entry, If i create a new host connection, it is written back to the database tables (Test Host connection also didn't through back any cert errors), but for the existing host connection entry was missing.

 

If i reboot the Delivery controller issue will be resolved temporarily but after a week or so issue is coming back throwing Cert error

 

I guess the only option is to create a new Hosting connection for the missing Hyp entries and move the VDAs to the newly created Hosting connection

  • Like 2
Link to comment
  • 2

To add to the above steps, we can also check the thumbprint via

asnp citrix*

cd xdhyp:

cd connection

dir

 

If you run this command, this will list all the host connection. here you can check the sslthumbprints parameter, In my case 2 host connection -sslthumbprints parameter was blank.

 

When i attempt to update the sslthumbprint for the cert, command shared by @Dennis Reimer didn't work for me for some reason.

 

I changed the order little bit to made it work for me. After the set-item command its looking for the -hypervisoraddress parameter, any other parameter after set-item is failing for me, may be in the later version of CVAD (mine was cvad 1906_2)

 

~~~~

Set-Item -Path "XDHyp:\Connections\test" -hypervisorAddress https://test.local/sdk -sslthumbprint "1234565aa3519b3fisdjfisdofusdf8sd9f8sd08f0"

~~~~

 

Note: I was able to confirm that, missing sslthumbprint for the VMWare host connection (SSLTHUMBPRINT should be in CAPS) could also cause the VC cert to fail when doing Test Host Connection apart from sslthumbprint case sensitivity. I'll have to wait and watch if its resolving my  ServersOS VDA daily reboot schedule Power On issue (Failed_To_Start - Hypervisor connection reported failure) :)

 

Thanks @Dennis Reimer for the detailed post.

  • Like 2
Link to comment
  • 0

Hi Simon,

 

I believe you have to add it to "Trusted People" as your computer account.

 

check this bit out:

Update for vCenter / vSphere 6: With vCenter 6 the file structure on the vCenter server has been changed and the approach outlined in the blog does not work any longer. Please use the steps outlined within eDocs – Prepare the virtualization environment: VMware to import and trust the default certificate. In my lab environment importing the vCenter certificate directly from within Internet Explorer worked flawlessly. Make sure to import it for the Local Machine and into the Trusted People store.

 

Source:

https://www.citrix.com/blogs/2013/12/18/using-the-default-vmware-vcenter-server-certificate-in-xendesktop-pocs/

  • Like 2
Link to comment
  • 0

Hi,

 

Yes. I imported it to Local Computer - Trusted People.

 

I also tried to create a new connection to VCenter with the same settings and clicked on "trust certificate" in the connection creation wizard. Then Citrix Studio trusts this "untrusted" certificate and the old connection also works. But the machine catalogs still report a certificate error and I can't manage them (e.g. update machine catalog).

 

br, Patrick

Link to comment
  • 0

According to CTX224551 you have to “Import the certificate into the certificate store on each of your Controllers”.

 

I am trying to do this on one of the controllers and after the PowerShell command to change SslThumbPrints command I get an error:

 

Set-Item : Cannot connect to the VCenter server due to a certificate error. Make sure that the appropriate certificates are installed on the VCenter server, and install the appropriate certificates on all machines that contain instances of the Host service.

At line:1 char:1

+ Set-Item -LiteralPath "XDHyp:\connections\IT-CRE" -SslThumbprint "‎FE ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidOperation: (:) [Set-Item], InvalidOperationException

    + FullyQualifiedErrorId : Citrix.XDPowerShell.HostStatus.VCenterConnectionSslFailure,Microsoft.PowerShell.Commands.SetItemCommand

 

Yes, I know I have a certificate error :-) that’s why I want to change the setting…

 

My question, do I have to import the new certificate on all 14 controllers first, before even trying the change thumbprint command on one of the controllers? Or is there something else going wrong?

Link to comment
  • 0
On ‎01‎/‎03‎/‎2018 at 9:30 AM, Dennis Reimer1709157751 said:

Yesterday I spend the whole day Troubleshooting this issue for one of our customers who updated his vCenter Server incl. Certificate.

 

We followed all steps described here: https://support.citrix.com/article/CTX224551

 

After 8 hours of Troubleshooting i got connected to an escalation engineer who told me that the Certificate Thumbprint has to be written in Capital Letters.

 

Wrong Example:

Set-Item -LiteralPath "XDHyp:\Connections\EsxLab" -username $cred.username -securepassword $cred.password -sslthumbprint "02faf3e291435468607857694df5e45b68851868" -hypervisorAddress https://vcenter.example.com

 

Correct Example:

Set-Item -LiteralPath "XDHyp:\Connections\EsxLab" -username $cred.username -securepassword $cred.password -sslthumbprint "02FAF3E291435468607857694DF5E45B68851868" -hypervisorAddress https://vcenter.example.com

 

After using the above command the certificate error was gone!!! Thanks Citrix for having 8 hours of Troubleshooting fun :10_wink:

 

By the way, if you are logged in as XenDesktop Studio Administrator you can run the powershell without username and Password, like this:

Set-Item -LiteralPath "XDHyp:\Connections\EsxLab" -sslthumbprint "02FAF3E291435468607857694DF5E45B68851868" -hypervisorAddress https://vcenter.example.com

 

Backgroud Informations:

For me it Looks like this is only relevant for longer existing Hypervisorconnections, like you are using this Connections since XD7.6 for example and have updated to 7.xx. New Hypervisor Connections are not having/using a thumbprint. Maybe because there have been those issues in the past.

 

If you want to create a new Hypervisorconnection and move the existing machines to that new Hypervisorconnection you can take a look here: https://discussions.citrix.com/topic/393647-change-existing-hypervisorconnection-move-machines-to-new-hypervisorconnection/ 

 

Hope this helps!

 

Regards

 

Dennis

 

I was having another issue where as thumbprints were missing for very first host connection. Have added required thumbprint from SSL certificate.

Just to add key note, I was facing this issue intermittently and hence I have executed PowerShell command when I got the successful connection as earlier with command execution as well it was throwing the same error cannot connect to vCentre server. 

 

Thanks for your post here Dennis!!

Link to comment
  • 0
On 3/25/2020 at 3:34 PM, Misja Geuskens1709155245 said:

Hi,

 

I've used this thread a couple of times and each time there was the one thing I got stuck on, which was which certificate to use. To never forget it again, I made this blog about how to fix this issue. Hope you find it helpfull: https://blog.misjageuskens.nl/2020/03/25/citrix-studio-cannot-connect-to-vcenter-server-due-to-certificate-error/

 

Cheers,

Misja

Hi Misja,

 

Thanks for creating knowledge base and I have done required changes today by referring the same :-)

All good!!

 

So quick takeaway would be;

 

Access vCenter URL

Download root certificate/s from download option on right side over vCenter web page

Download URL based certificate (this is the main certificate which needs to be referred for SSL Thumbprint changes)

Install root and URL based main certificates under Trusted Root Certificate and Trusted People stores

Login to delivery controllers and run the powershell command to change the SSL Thumbprint

Set-Item -LiteralPath “XDHyp:\Connections\connection name” -sslthumbprint “Value” -hypervisorAddress https://vCenter URL

(**SSL Thumbprint from URL based certificate to be used with replacing all under UPPERCASE ONLY else it will not function)

Restart the delivery controller (Just to ensure changes are in place, not mandatory though)

Verify by testing the connection for which new certificate is installed on delivery controller/s

 

Cheers,

Crackvik

Link to comment
  • 0

I have a situation where just one of my controllers does not accept the vcenter cert. I have replicated the certificate installs but can't get one controller to play nice. Not sure what I am missing. When i run set-item on the ddc, I get an error "the supplied credentials for the connection are not valid"  I am running powershell directly on the controller.

 

Link to comment
  • 0

Hello

I had the same problem : there was only one entry in the table named "HypervisorConnectionSSLThumbprint" in the Site database whereas I had 2 Host Connection created from Studio.

I used the command "Set-Item -Path "XDHyp:\Connections...." and a second entry appears in the database table with the Certificate Thumbprint (in capital)

The problem is now fixed

 

Thank you

Olivier

Link to comment
  • 0
On 4/21/2020 at 8:40 AM, Jason Fortun said:

I have a situation where just one of my controllers does not accept the vcenter cert. I have replicated the certificate installs but can't get one controller to play nice. Not sure what I am missing. When i run set-item on the ddc, I get an error "the supplied credentials for the connection are not valid"  I am running powershell directly on the controller.

 

 

 

Had the same issue. I did not specify a store when initially installing cert. Even though on subsequent attempt I specified correct store something got messed up... To fix:

 

I had to remove the cert from all stores in both DDCs

Restart Services

Install Certs in PROPER stores 

Restart Services

 

 

 

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...