Jump to content
Welcome to our new Citrix community!

Cert update in IIS on StoreFront server


Steve Krumroy

Recommended Posts

Our SSL cert recently came up for renewal, so we renewed that with Thawte for another 2 years and were successful in updating it (i.e. not removing and re-adding it) on our NetScaler VPX.  However, there seem to be some issues with it in IIS on our StoreFront server.  Since IIS 8 has issues with updating existing certs, we were advised to submit a CSR from each of our 2 StoreFront servers to Thawte, and they would reissue certs for us to install for each of those.  The process seemed to go well without any issues, but later that day, we started noticing events in Event Viewer on our StoreFront servers that they could no longer reach the XML service on our DDCs.  Is there a step we missed with updating these certs where we will also need to get those updated somehow on our Delivery Controllers?

 

Note that though we do have IIS installed on our Delivery Controllers, to my knowledge, we never have had any certs installed on those.  Also, this is the first go-round with renewing certs, so this is all new to us.

Link to comment
Share on other sites

In StoreFront Console, click your Store, on the bottom right is Manage Delivery Controllers. Edit each one. Is the Transport Protocol set to HTTPS? If so, then those Delivery Controllers have certificates. With IIS, you just add the https binding to the Default Web Site.

Link to comment
Share on other sites

23 hours ago, Carl Stalhood1709151912 said:

In StoreFront Console, click your Store, on the bottom right is Manage Delivery Controllers. Edit each one. Is the Transport Protocol set to HTTPS? If so, then those Delivery Controllers have certificates. With IIS, you just add the https binding to the Default Web Site.

 

Thanks, Carl!

 

In your opinion, could updating this cert on our Storefront server (i.e. in IIS) cause errors like this with a connection to an outside Delivery Controller?

 

"An error occurred while attempting to connect to the server essctxxac102v.*******.org on port 443. Verify that the Citrix XML Service is running and is using the correct port. If the XML Service is configured to share ports with Microsoft Internet Information Services (IIS), verify that IIS is running. This message was reported from the XML Service at address https://essctxxac102v.*******.org:443/scripts/wpnbr.dll[UnknownRequest]. The specified Citrix XML Service could not be contacted and has been temporarily removed from the list of active services."

 

(Note: domain partially obfuscated in the above for security/privacy.)

 

When we updated our cert, we ran for about 3 hours, then started seeing these events in the Windows event log on the Storefront server popping up every few minutes.  The server essctxxac102v.********.org is a remote site that we connect to for some additional applications that they deliver to our desktops.  Up until the day we updated the cert, those apps were delivered to our users' desktops and they could launch without issue, and there were none of these events in the event log.  About 3 hours after the cert update, we started seeing these events, and as users tried to launch the apps, they started seeing Citrix disconnect/reconnect issues (via Receiver).  I don't normally like to jump to conclusions and link things like this, but the timing of the issues seems awfully coincidental.  It's entirely possible we're dealing with two separate issues here though.

 

Would us updating the cert on our Storefront servers necessarily mean that the remote provider that's connected/publishing to our Storefront would need to update something on their side as well?

 

Also, be aware that we've thoroughly tested our network and firewall internally, and this is definitely not a lower-layer network issue internal to our network in terms of the disconnects/reconnects.  And we just aren't seeing any other issues outside of these apps that are being delivered to us by the outside provider - everything else inside our network is working just fine.  I can't speak to the outside provider's network and/or Delivery Controllers though.

Link to comment
Share on other sites

On StoreFront server, if you open IE and paste in the https://essctxxac102v.*******.org:443/scripts/wpnbr.dll, does it connect without certificate error? If you have access to that server, check its event viewer for any brokering issues.

 

Changing a StoreFront certificate won't cause any problems.

Link to comment
Share on other sites

16 minutes ago, Carl Stalhood1709151912 said:

On StoreFront server, if you open IE and paste in the https://essctxxac102v.*******.org:443/scripts/wpnbr.dll, does it connect without certificate error? If you have access to that server, check its event viewer for any brokering issues.

 

Changing a StoreFront certificate won't cause any problems.

 

It does not - the browser says 'Page cannot be displayed'.  So since we're not looking at a cert issue here, I assume this must be a connectivity issue to the outside provider's servers then?  And do the Receiver disconnects/reconnects make sense in this case?

Link to comment
Share on other sites

Hi skrunro808

 

who built your Citrix farm for you? an external consultant?/company?

 

It looks like you do have an SSL cert on your Delivery Controllers, or at least the StoreFront servers are trying to talk to the XML service via HTTPS

see https://docs.citrix.com/en-us/citrix-virtual-apps-desktops/secure/tls.html for info on how to configure an SSL cert for the XML service

 

you say "I assume this must be a connectivity issue to the outside provider's servers then?" - does that mean that the Delivery Controllers are not in your network or not in your domain?

if that's the case, it may be useful to give some detailed information on how your Citrix farm is structured.

 

Regards

 

Ken Z

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...