PVS Server Down In Console After Upgrade to 2402CU1

PVS Server Down In Console After Upgrade to 2402CU1

book

Article ID: CTX692291

calendar_today

Updated On:

Description

After upgrading the first PVS Server in the FARM to 2402 CU1 and running the Configuration Wizard the PVS Server appears down in the console.  The Configuration Wizard completes with errors.   

The following is one example found in the AOT logs:

  • Unknown,-1,StreamDb,StreamDbImpl.cpp,3332,Ardence::CStreamDbImpl::TranslateSAException,,5,AOLOG_INFO,"Translation exception, ex.NativeCode = -2147221005, ex.ErrText = <Invalid class string>

The PVS Windows Event logs indicate the DB cannot be found:

  • Event 268 Streamprocess - Cannot establish a connection to the database because the server cannot be found...

The SQL Server Windows Event logs display:

  • Event 36882 - The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The TLS connection request has failed. The attached data contains the server certificate.

Environment

Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items.

Resolution

Obtain a valid certificate.  Please add a CA or Self-signed certificate to the SQL Server

In order to update the Trusted Authorities store on PVS you must have a certificate on-hand, as a certificate file. The certificate you need depends on how the SQL Server is configured.

If the SQL Server is configured with a self-signed certificate, then this same certificate can be used to establish trust.

If the SQL Server is configured with a CA-signed certificate, then you need to obtain the signing CA root certificate to establish trust. Depending on which CA is used to sign the server certificate, the PVS server may already have it.

If the SQL Server is configured to use the "default" certificate, indicated by the certificate property being blank, then the certificate CANNOT be trusted. This certificate is generated new each time the SQL server starts. Nor can this certificate be exported. Therefore, there is no way to establish trust. 

If the SQL Server is using the default certificate with encryption enabled, then it needs to be deployed with a proper certificate for PVS to be able to use it. The certificate can be self-signed or CA-signed.

When you have the new certificate (Self-signed or CA signed):

  • deploy it on the PVS server in the Local Machine\Trusted Root Certification Authorities certificate store using any of several tools, such as certlm.msc (GUI) or certutil.exe or the Import-Certificate cmdlet.

 

This needs to be done on every PVS server. This is a one-time operation and does not need to be repeated when you rerun ConfigWizard or upgrade Citrix Provisioning. This does need to be repeated if the certificate has changed.

Problem Cause

The issue is introduced in the Microsoft OLE DB Driver 19.x where certificate validation is strongly enforced.  The Stream Process uses Microsoft OLE DB Driver version 19.x starting in PVS version 2311.

Microsoft OLE DB Driver 19 differs from earlier drivers used by PVS in the following ways.

  • Encrypted connections are now the default.
  • Certificate validation, for trust and hostname, is now enabled.

These changes can cause unexpected database connection failures after upgrading. 

Regarding encryption, PVS DOES NOT use the default. It specifies Encrypt=Optional when it connects to the database.  This means the connection is encrypted if the SQL Server has Force Encryption=Yes, and otherwise it is unencrypted.  This is identical to the behavior with earlier versions.

The Certificate is Not Trusted

If the SQL Server's server certificate is not trusted, you may see:

  • 08001 Client unable to establish connection. For solutions related to encryption errors, see https://go.microsoft.com/fwlink/?linkid=2227882.
  • SSL Provider: The certificate chain was issued by an authority that is not trusted.

When the certificate is not trusted, a SQL client has two options.

  • Use the TrustServerCertificate=True option when connecting to the database to disable certificate validation.
  • Establish trust by updating the Local Machine\Trusted Root Certification Authorities certificate store.

PVS does not support the first option, as it is inherently insecure. 

 

NOTE: the following instructions in the Citrix Provisioning documentation. See

"Enable secure connection from provisioning server to SQL server" on this page: https://docs.citrix.com/en-us/provisioning/current-release/install/pre-install  

Additional Information

https://learn.microsoft.com/en-us/troubleshoot/sql/database-engine/connect/error-message-when-you-connect

Powered by Wolken Software