Posted March 6, 20196 yr I have (2) Storefont 3.01 servers that has Citrix XML integrated with IIS. I also have (2) Delivery controller servers The SSL Cert for the Storefront servers recently expired. I obtained a new cert and binded it properly in IIS and reflects the new expiration date. New error appeared: There are no apps or desktops available to you at this time. In the Storefront configuration..If I edit the delivery controler and change the Transport HTTPS to HTTP, the applications appear. So it's obviously something SSL cert related I noted these errors on the Storefront server. Somehow the 2nd Delivery controller server is referencing the expired cert. I verified through Certificates MMC that the new cert is installed. An error occurred while attempting to connect to the server SERVER.DOMAIN on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://STOREFRONT-SERVER1:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services. An SSL connection could not be established: The server sent an expired security certificate. The certificate *.DOMAIN.com, *.DOMAIN.com, DOMAIN.com is valid from 3/3/2016 1:31:38 PM until 3/3/2019 9:17:38 AM.. This message was reported from the Citrix XML Service at address https://DELIVERY CONTROLER SERVER#2:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services. Thank you in advance for any help
March 7, 20196 yr Hi, do you have iis role installed on the Controller if yes have replaced the certificate on IIS? please check the documents below. https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/tls.html Thanks Manoj
March 7, 20196 yr Author Yes, the certificates have been replaced in IIS. When I browse to the storefront URL, the new SSL cert is seen. However, the storefront server has the XML service integrated with IIS. I gather the XML service is still referencing the old SSL cert.
March 7, 20196 yr Hi cbogart947, I was talking about DDC not the storefront. Is your DDC and storefront is same ? Thanks Manoj
March 7, 20196 yr Author 2 Storefront Servers 2 DDC Servers 1st DDC server has IIS installed with newest cert. 2nd DDC does not have IIS installed. Appears it never had it installed as no errors were appearing prior to the SSL cert expiring a few days ago.
March 7, 20196 yr If the Controller does not have IIS installed, one method of configuring the certificate is: https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/tls.html?_ga=2.253053065.1426384786.1551686933-1623129619.1548660549 can you try this ?
March 7, 20196 yr Author I just took a look at the logs again on the storefront server and I no longer see the message "An SSL connection could not be established: The server sent an expired security certificate" I did a lot of changes yesterday in an attempt to get this working. Maybe one of those resolved the expired cert issue. Now I just see the error: An error occurred while attempting to connect to the server DDC#2.DOMAIN.com on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running I'll take a look at the link you provided. Much appreciated.
March 7, 20196 yr Author So I ran show sslcert on the 2nd DDC server and it shows the same certificate as the 1st DDC server Is it somehow possible that the cert is not binded to the XML port? SSL Certificate bindings: ------------------------- IP:port : 10.10.10.10:443 Certificate Hash : 1200000000000000000000000000fa Application ID : {532cc722-0000-1234-082c-5678567856e} Certificate Store Name : (null) Verify Client Certificate Revocation : Enabled Verify Revocation Using Cached Client Certificate Only : Disabled Usage Check : Enabled Revocation Freshness Time : 0 URL Retrieval Timeout : 0 Ctl Identifier : (null) Ctl Store Name : (null) DS Mapper Usage : Disabled Negotiate Client Certificate : Disabled
March 7, 20196 yr Author The certificate hashes match. For the purpose of forum posting, I put in dummy information.
March 7, 20196 yr Can you check this article? https://www.jgspiers.com/securing-ddc-xml-broker-communication-over-https/ Thanks Manoj
March 7, 20196 yr Author I already did. The Certificate hash and application ID (citrix broker service) on DDC server #1 & DDC server #2 are identical. Some progress is being made as the expired cert error no longer appears. Why do I still keep getting the XML errors on both DDC1 & DDC2? An error occurred while attempting to connect to the server DDC01.DOMAIN.com on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://DDC01.DOMAIN.com:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services. An error occurred while attempting to connect to the server DDC02.DOMAIN.com on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://DDC02.DOMAIN.com:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.
March 7, 20196 yr tried to restart the Broker Service C:\Program Files\Citrix\Broker\Service and then right-click the BrokerService.exe and select 'Run As Administrator' (This will restart the service).
March 7, 20196 yr also check this post https://discussions.citrix.com/topic/361060-storefront-secure-xml-communication-transport-type-https-no-applications/
March 7, 20196 yr Author 8 minutes ago, Manoj Rana said: tried to restart the Broker Service C:\Program Files\Citrix\Broker\Service and then right-click the BrokerService.exe and select 'Run As Administrator' (This will restart the service). No change (I had already rebooted the severs several times) and no luck on the URL
March 7, 20196 yr I am now completely out of ideas now. Just one last thing can remove you DDC's from storefront (one at time in case production goes down ) from manage Delivery Controllers and re-adding back
March 7, 20196 yr Author So I dug a little deeper.. On the 2 DDC servers, I ran "wmic product list" and obtained the GUID of the Broker service. I cross-referenced this GUID with the application ID listed in the SSL certificate bindings (http show sslcert). They were different, so I suspected that is where the issue lies. I deleted the cert (http delete sslcert ipport=10.10.10.10:443) and readded and it's now working. Thanks.
Archived
This topic is now archived and is closed to further replies.