Delivery Controller cannot contact vCenter server after certificate update on vCenter

Delivery Controller cannot contact vCenter server after certificate update on vCenter

book

Article ID: CTX224551

calendar_today

Updated On:

Description

Delivery Controller unable to contact the vCenter server after certificate update on the vCenter server.

Resolution

Step 1: Install the new vCenter certificate using any of the following methods:

  • From the vCenter server:
    1. Copy the file rui.crt from the vCenter server to a location accessible on your Delivery Controllers.
    2. On the Controller, navigate to the location of the exported certificate and open the rui.crt file
  • Download the certificate using a web browser. If you are using Internet Explorer, depending on your user account, you may need to right-click on Internet Explorer and choose Run as Administrator to download or install the certificate.
    1. Open your web browser and make a secure web connection to the vCenter server; for example https://server1.domain1.com
    2. Accept the security warnings.
    3. Click on the address bar where it shows the certificate error.
    4. View the certificate and click on the Details tab.
    5. Select Copy to file and export in .CER format, providing a name when prompted to do so.
    6. Save the exported certificate.
    7. Navigate to the location of the exported certificate and open the .CER file.
  • Import directly from Internet Explorer running as an administrator:
    1. Open your web browser and make a secure web connection to the vCenter server; for example https://server1.domain1.com.
    2. Accept the security warnings.
    3. Click on the address bar where it shows the certificate error.
    4. View the certificate.

Step 2. Import the certificate into the certificate store on each of your Controllers:

  1. Click Install certificate, select Local Machine, and then click Next.
  2. Select Place all certificates in the following store, and then click Browse.
  3. If you are using Windows Server 2008 R2:
    1. Select the Show physical stores checkbox.
    2. Expand Trusted People.
    3. Select Local Computer.
    4. Click Next, then click Finish.
    If you are using Windows Server 2012 or Windows Server 2012 R2:
    1. Select Trusted People, then click OK.
    2. Click Next, then click Finish.

Important: If you change the name of the vSphere server after installation, you must generate a new self-signed certificate on that server before importing the new certificate.  Once the hypervisor connection is restored pending power actions may take place.

Step 3: Remove the old vCenter Certificate from all Delivery Controllers.
From the Certificate Manager, remove the old certificate on each of the delivery controllers.

Step 4. If you continue experiencing vCenter connectivity issues, update the CVAD database with the thumbprint of the new certificate.

  • SSL Thumbprints of the Hypervisor connections are stored in the "HostingUnitServiceSchema.HypervisorConnectionSSLThumbprint" table of the CVAD Site database in SQL. The thumbprint can be updated using PowerShell:
  1. Get the LiteralPath of the hosting connection. On one of the Delivery Controllers, start PowerShell as Administrator and run the following cmdlets:  
    asnp citrix*
Get-ChildItem XDHyp:\Connections | Select-Object HypervisorConnectionName,HypervisorAddress
  2. Take note of the output.
  3. Obtain the thumbprint of the new certificate from the Details tab.  
  4. Update the certificate thumbprint via PowerShell. Note: the thumbprint needs to be entered in capital letters with no spaces. Verified that the thumbprint value doesn't contain any corrupted characters after it was copied and pasted from the Certificate Details view. 
    $cred = Get-Credential 
Set-Item -LiteralPath "<HypervisorConnectionName>" -username $cred.username -Securepassword $cred.password -SslThumbprint "<New ThumbPrint in capital>" -hypervisorAddress <HypervisorAddress>
    Example input:
    Set-Item -LiteralPath "XDHyp:\Connections\EsxLab" -username $cred.username -securepassword $cred.password -sslthumbprint "XXXXXXXXXXXXXXXXXXX" -hypervisorAddress https://vcenter.example.com
    • Note: it has been observed that in some cases the Set-Item cmdlet doesn't accept the -username parameter. If this applies to your case, run the following cmdlet instead:  
      Set-Item -LiteralPath "<HypervisorConnectionName>" -SslThumbprint "XXXXXXXX" -hypervisorAddress <HypervisorAddress>
  1. After having changed the thumbprint of the hypervisor connection certificate in the database, perform the following actions depending on the type of your setup:
      • In Citrix Cloud environments, restart all Cloud Connectors in the zone using this vCenter connection.
      • For on-premises environments, restart the Citrix Host Service on each Delivery Controller.

Step 5. Launch Citrix Studio/DaaS console. From the Hosting tab, run a host connection test.

Problem Cause

If the certificate on the vCenter server is changed or upgraded, the same certificate along with any associated root and intermediate certificates must be installed on all the Delivery Controllers/Cloud Connectors, and the Site database must be updated with the new thumbprint of that certificate.

Issue/Introduction

Once the certs are changed on the Vcenter server, XenDesktop is not able to contact the Vcenter server.

Additional Information

Powered by Wolken Software