Jump to content

SSL cert renewal issue


Recommended Posts

Posted

I have (2) Storefont 3.01 servers that has Citrix XML integrated with IIS.
I also have (2) Delivery controller servers
The SSL Cert for the Storefront servers recently expired. I obtained a new cert and binded it properly in IIS and reflects the new expiration date.
New error appeared: There are no apps or desktops available to you at this time.
In the Storefront configuration..If I edit the delivery controler and change the Transport HTTPS to HTTP, the applications appear. So it's obviously something SSL cert related

 

I noted these errors on the Storefront server. Somehow the 2nd Delivery controller server is referencing the expired cert. I verified through Certificates MMC that the new cert is installed.

 

An error occurred while attempting to connect to the server SERVER.DOMAIN on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://STOREFRONT-SERVER1:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

 

An SSL connection could not be established: The server sent an expired security certificate. The certificate *.DOMAIN.com, *.DOMAIN.com, DOMAIN.com is valid from 3/3/2016 1:31:38 PM until 3/3/2019 9:17:38 AM.. This message was reported from the Citrix XML Service at address https://DELIVERY CONTROLER SERVER#2:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

 

Thank you in advance for any help

Posted

I just took a look at the logs again on the storefront server and I no longer see the message "An SSL connection could not be established: The server sent an expired security certificate"

I did a lot of changes yesterday in an attempt to get this working. Maybe one of those resolved the expired cert issue.

 

Now I just see the error:  An error occurred while attempting to connect to the server DDC#2.DOMAIN.com on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running

 

I'll take a look at the link you provided.

 

Much appreciated.

Posted

So I ran show sslcert on the 2nd DDC server and it shows the same certificate as the 1st DDC server

Is it somehow possible that the cert is not binded to the XML port?

 

SSL Certificate bindings:
-------------------------

    IP:port                      : 10.10.10.10:443
    Certificate Hash             : 1200000000000000000000000000fa
    Application ID               : {532cc722-0000-1234-082c-5678567856e}
    Certificate Store Name       : (null)
    Verify Client Certificate Revocation : Enabled
    Verify Revocation Using Cached Client Certificate Only : Disabled
    Usage Check                  : Enabled
    Revocation Freshness Time    : 0
    URL Retrieval Timeout        : 0
    Ctl Identifier               : (null)
    Ctl Store Name               : (null)
    DS Mapper Usage              : Disabled
    Negotiate Client Certificate : Disabled


 

Posted

I already did. The Certificate hash and application ID (citrix broker service) on DDC server #1 & DDC server #2 are identical.

Some progress is being made as the expired cert error no longer appears.

Why do I still keep getting the XML errors on both DDC1 & DDC2?

 

An error occurred while attempting to connect to the server DDC01.DOMAIN.com on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://DDC01.DOMAIN.com:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

 

An error occurred while attempting to connect to the server DDC02.DOMAIN.com on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://DDC02.DOMAIN.com:443/scripts/wpnbr.dll. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services.

 

Posted

tried to restart the Broker Service C:\Program Files\Citrix\Broker\Service and then right-click the BrokerService.exe and select 'Run As Administrator' (This will restart the service).

Posted
8 minutes ago, Manoj Rana said:

tried to restart the Broker Service C:\Program Files\Citrix\Broker\Service and then right-click the BrokerService.exe and select 'Run As Administrator' (This will restart the service).

No change (I had already rebooted the severs several times) and no luck on the URL

 

 

Posted

I am now completely out of ideas now.

 

Just one last thing can remove you DDC's from storefront (one at time in case production goes down ) from manage Delivery Controllers and re-adding back

Posted

So I dug a little deeper..

 

On the 2 DDC servers, I ran "wmic product list" and obtained the GUID of the Broker service.

I cross-referenced this GUID with the application ID listed in the SSL certificate bindings (http show sslcert). They were different, so I suspected that is where the issue lies.

 

I deleted the cert (http delete sslcert ipport=10.10.10.10:443) and readded and it's now working.

 

Thanks.

 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...