Christopher Bogart1709158415 Posted March 6, 2019 Posted March 6, 2019 I have (2) Storefont 3.01 servers that has Citrix XML integrated with IIS. I also have (2) Delivery controller servers The SSL Cert for the Storefront servers recently expired. I obtained a new cert and binded it properly in IIS and reflects the new expiration date. New error appeared: There are no apps or desktops available to you at this time. In the Storefront configuration..If I edit the delivery controler and change the Transport HTTPS to HTTP, the applications appear. So it's obviously something SSL cert related I noted these errors on the Storefront server. Somehow the 2nd Delivery controller server is referencing the expired cert. I verified through Certificates MMC that the new cert is installed. An error occurred while attempting to connect to the server SERVER.DOMAIN on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://STOREFRONT-SERVER1:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services. An SSL connection could not be established: The server sent an expired security certificate. The certificate *.DOMAIN.com, *.DOMAIN.com, DOMAIN.com is valid from 3/3/2016 1:31:38 PM until 3/3/2019 9:17:38 AM.. This message was reported from the Citrix XML Service at address https://DELIVERY CONTROLER SERVER#2:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services. Thank you in advance for any help
Manoj Rana Posted March 7, 2019 Posted March 7, 2019 Hi, do you have iis role installed on the Controller if yes have replaced the certificate on IIS? please check the documents below. https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/tls.html Thanks Manoj
Christopher Bogart1709158415 Posted March 7, 2019 Author Posted March 7, 2019 Yes, the certificates have been replaced in IIS. When I browse to the storefront URL, the new SSL cert is seen. However, the storefront server has the XML service integrated with IIS. I gather the XML service is still referencing the old SSL cert.
Manoj Rana Posted March 7, 2019 Posted March 7, 2019 Hi cbogart947, I was talking about DDC not the storefront. Is your DDC and storefront is same ? Thanks Manoj
Christopher Bogart1709158415 Posted March 7, 2019 Author Posted March 7, 2019 2 Storefront Servers 2 DDC Servers 1st DDC server has IIS installed with newest cert. 2nd DDC does not have IIS installed. Appears it never had it installed as no errors were appearing prior to the SSL cert expiring a few days ago.
Manoj Rana Posted March 7, 2019 Posted March 7, 2019 If the Controller does not have IIS installed, one method of configuring the certificate is: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/tls.html?_ga=2.253053065.1426384786.1551686933-1623129619.1548660549 can you try this ?
Christopher Bogart1709158415 Posted March 7, 2019 Author Posted March 7, 2019 I just took a look at the logs again on the storefront server and I no longer see the message "An SSL connection could not be established: The server sent an expired security certificate" I did a lot of changes yesterday in an attempt to get this working. Maybe one of those resolved the expired cert issue. Now I just see the error: An error occurred while attempting to connect to the server DDC#2.DOMAIN.com on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running I'll take a look at the link you provided. Much appreciated.
Christopher Bogart1709158415 Posted March 7, 2019 Author Posted March 7, 2019 So I ran show sslcert on the 2nd DDC server and it shows the same certificate as the 1st DDC server Is it somehow possible that the cert is not binded to the XML port? SSL Certificate bindings: ------------------------- IP:port : 10.10.10.10:443 Certificate Hash : 1200000000000000000000000000fa Application ID : {532cc722-0000-1234-082c-5678567856e} Certificate Store Name : (null) Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled
Manoj Rana Posted March 7, 2019 Posted March 7, 2019 is this your old certificate Certificate Hash : 1200000000000000000000000000fa ?
Christopher Bogart1709158415 Posted March 7, 2019 Author Posted March 7, 2019 The certificate hashes match. For the purpose of forum posting, I put in dummy information.
Manoj Rana Posted March 7, 2019 Posted March 7, 2019 Can you check this article? https://www.jgspiers.com/securing-ddc-xml-broker-communication-over-https/ Thanks Manoj
Christopher Bogart1709158415 Posted March 7, 2019 Author Posted March 7, 2019 I already did. The Certificate hash and application ID (citrix broker service) on DDC server #1 & DDC server #2 are identical. Some progress is being made as the expired cert error no longer appears. Why do I still keep getting the XML errors on both DDC1 & DDC2? An error occurred while attempting to connect to the server DDC01.DOMAIN.com on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://DDC01.DOMAIN.com:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services. An error occurred while attempting to connect to the server DDC02.DOMAIN.com on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://DDC02.DOMAIN.com:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.
Manoj Rana Posted March 7, 2019 Posted March 7, 2019 tried to restart the Broker Service C:\Program Files\Citrix\Broker\Service and then right-click the BrokerService.exe and select 'Run As Administrator' (This will restart the service).
Manoj Rana Posted March 7, 2019 Posted March 7, 2019 also check this post https://discussions.citrix.com/topic/361060-storefront-secure-xml-communication-transport-type-https-no-applications/
Christopher Bogart1709158415 Posted March 7, 2019 Author Posted March 7, 2019 8 minutes ago, Manoj Rana said: tried to restart the Broker Service C:\Program Files\Citrix\Broker\Service and then right-click the BrokerService.exe and select 'Run As Administrator' (This will restart the service). No change (I had already rebooted the severs several times) and no luck on the URL
Manoj Rana Posted March 7, 2019 Posted March 7, 2019 I am now completely out of ideas now. Just one last thing can remove you DDC's from storefront (one at time in case production goes down ) from manage Delivery Controllers and re-adding back
Christopher Bogart1709158415 Posted March 7, 2019 Author Posted March 7, 2019 So I dug a little deeper.. On the 2 DDC servers, I ran "wmic product list" and obtained the GUID of the Broker service. I cross-referenced this GUID with the application ID listed in the SSL certificate bindings (http show sslcert). They were different, so I suspected that is where the issue lies. I deleted the cert (http delete sslcert ipport=10.10.10.10:443) and readded and it's now working. Thanks.
Manoj Rana Posted March 8, 2019 Posted March 8, 2019 Hi that's good stuff. at least it is working now. Thanks Manoj
Recommended Posts
Archived
This topic is now archived and is closed to further replies.