Solved

Citrix Xendesktop 7.1 cannot connect to VMware vSphere 5.5 due to ssl certificate error

Posted on 2013-12-27
31
9,273 Views
Last Modified: 2014-02-26
Hello Experts,

Could you please help me with ssl certificate connection issue between citrix XenDesktop Studio and VMware vSphere server.

Let me give you more info on what I've done so far to make more understandable: I'm using vmware workstation 7 to set up my own home virtual environment. I've set up two DC's and one member server with Windows Server 2008 R2 SP1, one Win 7 Pro client, one DDC (desktop delivery controller) with Citrix Xendesktop 7.1 30-days trial version and one VM with VMware vSphere 5.5 30-days trial. I've successfully installed all of the Xendesktop 7.1components (xendesktop, licence server, SQL server,desktop director, desktop studio) on the same server and named it DDC. I've also successfully installed VMware vSphere 5.5 on other VM. When I started setting up and deploying desktop studio I was prompted for host address, username and password so I put in https://ip address of the vSphere server (taken from the vSphere server itself) and username: root and root's password (these logon credentials are completely the same and match to these that I'd set up when I was installing vSpehere server) and I kept getting SSL certificate connection error message (see the screen shot) and I couldn't have established ssl connection between Xendesktop Studion (DDC) and my vmware vSphere infrastructure due to unknown VMware vSphere's ssl certificate. I did try importing and installing vmware ssl certificate from DDC as I clicked on ''View Certificate'' and imported successfully into DDC's Certificate Store\Trusted People\Local Computer but still no luck as I kept getting this ssl error connection message.
I did try exporting ssl certificate directly from vSphere server but I couldn't find any oprions for that as I don't have experience in vSphere and also not familiar with vSphere's management interface. I don't know how to launch any vClient web interface neither from vSphere server nor from DDC.

Could you please help me or give me any advice on how to resolve this ssl certificate connection issue to get connected Xendesktop studio to vSphere host infrastructure and how to launch vCenter web client to get access to vSphere server remotely.

Thank you in advance.
SSL-Certificate.docx
0
Comment
Question by:nasolsi
  • 11
  • 7
  • 4
  • +4
31 Comments
 
LVL 16

Expert Comment

by:Nyaema
ID: 39741699
Vcentwr needs to be a trusted root ca. Please follow steps in install vcenter certificate on broker
0
 

Author Comment

by:nasolsi
ID: 39741724
Hi Nyaema,

Thank you for your reply.

I've got one more question regarding to the solution you gave me:

''Unfortunately this does not work in all cases. But luckily there is another option to make it work:

1. Connect to your vCenter server and browse to „C:\ProgramData\VMware\VMware VirtualCenter\SSL“- how can find VMware's SSL certificate? - from my PC itself where vmware workstation installation files are and go to C:\ProgramFiles\VMware\VMware VirtualCenter\SSL or I need to do it from VM where vSphere is installed on.

The reason why I've asked you this question is that I don't know how to connect remotely to vSphere server and what commands need to be run on vSphere server itself because I'm not familiar with vSphere management interface.

Thank you in advance.
0
 
LVL 119
ID: 39741742
You need to alter files on the VMware vSphere vCenter Server.

So you would need to connect to the server via RDP, and then stop the vCenter Service, and replace those files.

It's covered in detail in this document

VMware KB: Implementing CA signed SSL certificates with vSphere
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 16

Expert Comment

by:Nyaema
ID: 39741836
follow the instructions for browser and just enter https://ipaddress instead of hostname
and import the certificate.  This is the self signed certificate.
0
 

Author Comment

by:nasolsi
ID: 39742050
I've done exactly the same thing and it didn't work.
0
 
LVL 119
ID: 39742069
You have followed all the instructions, and have a CA Root Signed Certificate ?

Did you generate a Certificate Request, using OpenSSL ?

see my EE Article, Step by Step Tutorial Instructions with Screenshots

Part 12: HOW TO: Configure and Replace the SSL Certificate on a VMware vSphere Hypervisor 5.1 (ESXi 5.1) Host Server

this is for the ESXi server, but VMware vCenter Server generation is the same, just use it's IP Address and FQDN.
0
 

Author Comment

by:nasolsi
ID: 39743689
Thank you to all of you for your help.

I keep getting this ssl error message.

What I've done so far: managed to install vSphere web client and I can now manage to log into vSphere host, I've also enable ssh service and I can now log on and manage vSphere host through putty.

Could please give me advice on how to change vSphere host ssl certificate through vSphere web client and or putty.

Thank you in advance
0
 

Author Comment

by:nasolsi
ID: 39743712
Hello again,

I've also found this citrix article:

Replace the default XenServer SSL certificate
Updated: 2012-08-23

Citrix recommends using HTTPS to secure communication between XenDesktop and XenServer. To use HTTPS you must replace the default SSL certificate installed with XenServer with one from a trusted certificate authority:

1.Modify /etc/pki/tls/openssl.cnf as follows:
a.Request extensions by uncommenting the following line:
req_extensions = v3_reqb.
Modify the section for requested sections to read as follows:
[v3_req]
basicConstraints = CA:FALSE
keyUsage = keyEncipherment
extendedKeyUsage = serverAuth2.Generate a certificate request:
openssl genrsa -out [servername].private 2048openssl req -new -outform PEM -out [servername].request -keyform PEM -key [servername].private -days 365where [servername] is the name of the XenServer host. This generates a request for a 1 year (365 day) certificate in the file called [servername].request.
3.Have the certificate request contained in [server name].request signed by a certificate authority. This can be either a commercial certificate authority or an internal corporate certificate authority such as Microsoft Certificate Services.
4.After the new certificate has been signed, move the existing certificate:
mv /etc/xensource/xapi-ssl.pem /etc/xensource/xapi-ssl.pem_orig5.Add the new signed certificate to the XenServer host and tighten the access rights:
cat [servername].public [servername].private > [servername].peminstall -m 0400 [servername].pem /etc/xensource/xapi-ssl.pem6.Edit the file /etc/init.d/xapissl, using the line:
PEMFILE="/etc/ssl/certs/[servername].pem"7.Restart the XenServer communications service by entering the following command:
/etc/init.d/xapissl restartIf you are using a private certificate authority you may need to install your root certificate on the controller.
Install a certificate on the controller
1.Locate the root certificate file in Windows Explorer.
2.Right-click the root certificate file and select Install Certificate. The Certificate Manager Install Wizard appears.
3.On the Welcome page, click Next.
4.On the Certificate Store page, select Place all certificates in the following store.
5.Click Browse.
6.Select Show physical stores.
7.Expand Trusted Root Certification Authorities, then select Local Computer.
8.Select Local Computer.
9.Click OK.
10.Follow the instructions in the wizard to complete the install.

Do I need to use cmd to modify xendesktop server ssl certificate and where to find /etc/pki/tls/openssl.cnf directory?
0
 

Author Comment

by:nasolsi
ID: 39743733
Could you please have a look at the screen shot about Desktop Studio connection logon credentails to vSphere.

If they are not correct, could you please type in the correct logon credentials.
Studio-Connection.JPG
0
 

Author Comment

by:nasolsi
ID: 39743811
Hello experts,

I did follow the steps from the following citrix article: http://support.citrix.com/article/CTX138640 about replacing “httpsWithRedirect” with “httpAndHttps” but I couldn't see  the content of the proxy.xml file to make the change.
Here is my putty's outcome:

login as: root
Using keyboard-interactive authentication.
Password:
The time and date of this login have been sent to the system logs.

VMware offers supported, powerful system administration tools.  Please
see www.vmware.com/go/sysadmintools for details.

The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
~ # cd etc/vmware
/etc/vmware # find /etc|grep proxy
/etc/init.d/rhttpproxy
/etc/vmware/hostd/proxy.xml
/etc/vmware/rhttpproxy
/etc/vmware/rhttpproxy/endpoints.conf
/etc/vmware/rhttpproxy/default-config.xml
/etc/vmware/rhttpproxy/config.xml
/etc/vmsyslog.conf.d/rhttpproxy.conf
/etc/vmware # vi proxy.xml

~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
- proxy.xml 1/1 100%

~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
- proxy.xml 1/1 100%


What am I doing wrong?
Why am I not able to see the content of the proxy.xml file and make any change?

Could you please provide me with correct commands to be able to see the content of the proxy.xml file and make any changes.

I'm really sorry for all these issues but I don't have any experience in Citrix and VMware and just want to get a bit more experience in these technologies.

Thank you in advance.
0
 
LVL 119
ID: 39743850
the instructions you are following are possibly for ESX and not ESXi (which is the server and product you have!).

They are different products.
0
 

Author Comment

by:nasolsi
ID: 39743887
Hi Andrew,

I'm using VMware ESXi 5.5.0.

Could you please provide me the correct instructions for VMware ESXi 5.5.0.

Thank you in advance
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 39743980
Forgive me if this is repeated information as I've only scan read through the other answers (it's been a long day) but there are step by step instructions here:

http://blogs.citrix.com/2013/12/18/using-the-default-vmware-vcenter-server-certificate-in-xendesktop-pocs/
0
 

Author Comment

by:nasolsi
ID: 39744540
Hi Tony1044,

Thank you for your response.

I did install vSphere's ssl certificate a few times into Trusted People\Local Computer, Trusted Root Certification Authorities, Pesronal, Trusted Publisher, Intermidiate Certification Authorities and still no luck.

Regarding your instructions I've got one question:
''Unfortunately this does not work in all cases. But luckily there is another option to make it work:
1. Connect to your vCenter server and browse to „C:\ProgramData\VMware\VMware VirtualCenter\SSL“
2. Copy the cacert.pem file to your XenDesktop Broker (to the C:\Temp directory for example)''- how to browse to vSphere host and get access to C:\ProgramData\VMware\VMware VirtualCenter\SSL? and How to copy the cacert.pem file to XenDesktop Broker?- the reason why I'm asking you all these questions is that I'm able to get access to vSphere hypervisor either through vSphere web client installed on DDC or ssh access through putty from DDC.
I coudn't find any option within vSphere web client to browse to „C:\ProgramData\VMware\VMware VirtualCenter\SSL“ or to export ssl certificate from vSphere hypervisor. There is option only to import certificate.

Could you please help me because I spent 3 days trying solving this ssl connection issue and my XenDesktop 7.1  30- day trial copy is runing out, and I haven't yet done any practise.

Thank you in advance.
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 39744578
Two options to get to that path - either browse to \\vcenter server name\c$\ProgramData\VMware\VMware VirtualCenter\SSL

Or RDP / log into the vcenter server and browse to that folder then copy it to a share you can access from both the vcenter server and the Citrix server. Or copy to a pen drive etc.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39746419
Actually in VMware Workstation can't you copy files from the host to guest VM's???
0
 

Author Comment

by:nasolsi
ID: 39746965
hello,

I couldn't establish rdp to vSphere host.
How can I enable rdp on vSphere?

I've enable ssh and get access to vSphere through putty.
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 39747100
Not the vSphere host - the vCenter server.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39747102
log into the vm right Computer -> Properties -> Remote and allow remote connections to computer
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39747109
Also check out the following link on how to share files between the host and guest vm's..

http://pubs.vmware.com/workstation-10/index.jsp?topic=%2Fcom.vmware.ws.using.doc%2FGUID-D6D9A5FD-7F5F-4C95-AFAB-EDE9335F5562.html
0
 

Author Comment

by:nasolsi
ID: 39748270
Hello Tony1044,

I found the certificate in \\vcenter server name\c$\ProgramData\VMware\VMware VirtualCenter\SSL and copied to the folder that is shared with other vm's.
I've installed it already and will it give it a test today, and let you know.

Thanks a lot for your help.
0
 
LVL 8

Expert Comment

by:piyushranusri
ID: 39750825
will ask you to please raise a call with vm ware support team, saw lots of user are facing this issue and only the solution is that 5.5 has this bug feature.
in EE also have users reporting this issue.



please share the output.
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 39750872
piyushranusri - what issue are other users seeing? Could you provide links?

The OP simply wanted guidance on how to get to the vCenter certificate at this point in time - not sure what you are suggesting is the issue, hence some details would be helpful.
0
 
LVL 19

Accepted Solution

by:
compdigit44 earned 400 total points
ID: 39751338
Actually according to the following link Citrix doesn't look like they are supporting XenDesktop 7.1 on vSphere 5.5 yet..

http://support.citrix.com/servlet/KbServlet/download/29061-102-707409/CTX131239_XD_Supported%20Hypervisors_2013.pdf

As a test try to install vpshere 5.1 and see if you are able to connect your XenDesktop 7.1 DDC to the ESXi 5.1 server
0
 

Author Comment

by:nasolsi
ID: 39751352
Hello Tony1044,

Just to let you know that this didn't work again. I kept getting the same ssl connection error message.
I'll give up on try intergrating XenDesktop 7.1 with WMware vShere as host hypervisor.
I was looking for any other solution on how to build up my own citrix environment for training and found an article on how to deploy XenDesktop 7.1 using the XenDesktop Service Tamplate for System Center Virtual Machine Manager 2008 R2.
I've successfully installed System Center Virtual Machine Manager 2008 R2 on my member server with Windows Server 2008 R2 but couldn't deploy xendesktop 7.1 with System Center Virtual Machine Manager 2008 R2 because of unknown database path. I've installed SQL Server 2005 SP3 that was included in System Center Virtual Machine Manager 2008 R2 installation files, and when I was prompted for database path I wasn't able to provide the correct database path because I didn't know where to find it from and I'm not SQL professional. So I came up with solution to  deploy xendesktop 7.1 with System Center Virtual Machine Manager 2008 R2 using already configured XenDesktop Service Tamplate for System Center Virtual Machine Manager 2008 R2.
I hope this is going to work.
I'll let you know for the result and reward you a points.

Thank you for your help.
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 39751398
Compdigit - you're quite right!

It's also prominent by absence in the System Requirement on eDocs: http://support.citrix.com/proddocs/topic/xendesktop-71/cds-system-requirements-71.html :

Host
Supported platforms:

•XenServer:
          •XenServer 6.2

          •XenServer 6.1

          •XenServer 6.0.2

•VMware vSphere. No support is provided for vSphere vCenter Linked Mode operation.
          •VMware vSphere 5.1 Update 1

          •VMware vSphere 5.0 Update 2
0
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 39868737
So in this case we shall wait for the XD 7.5 instead ?
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 39869636
Well according to their latest supported hypervisor document, as released on February 14th 2014, http://support.citrix.com/servlet/KbServlet/download/29061-102-708399/CitrixSupportedHypervisors.pdf XD 7.1 now supports 5.5 'with issues'

Those issues are here: http://support.citrix.com/article/CTX140135
0
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 39891112
What ports that needs to be opened from the Citrix Delivery Controller server into VMware VCenter server ?

is it just TCP 443 bi directional ?
0
 
LVL 25

Expert Comment

by:Tony Johncock
ID: 39891151
List of ports here: http://support.citrix.com/servlet/KbServlet/download/2389-102-654859/CitrixPorts_by_Port_1103.pdf

I don't know which need to go both ways - as you can see the Citrix doc doesn't make that clear, so for the extra little effort I always get them opened bidirectionally
0
 
LVL 7

Expert Comment

by:Senior IT System Engineer
ID: 39891161
That's why I got confused myself here as well.

Thanks man
0

Featured Post

Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2012 R2 Unable to Expand C:\ Drive 9 97
Disjoin vCenter Server Appliance From Domain 5 50
Internal CA server 6 46
vmware, windows server 2012 10 33
In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Teach the user how to rename, unmount, delete and upgrade VMFS datastores. Open vSphere Web Client: Rename VMFS and NFS datastores: Upgrade VMFS-3 volume to VMFS-5: Unmount VMFS datastore: Delete a VMFS datastore:
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question