Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Clever_Anjos
Employee
Employee

Sense unable to locate a ssl certificate

i´m not beeing able to make my Sense box use a valid SSL certificate

Error message  Couldn't find a valid ssl certificate with thumbprint

Steps taken so far:

  • SSL certificate imported under MMC/Certificates/Local Computer/Personal

Capturar.PNG

  • Proxy configured with the thumbprint
  • Proxy service restarted

Trace log

Sequence#LevelLoggerThreadServiceUserMessage
1INFOSecurity.Proxy.Qlik.Sense.Common.Security.Cryptography.LoggingDigester1WIN-8JETLOID025\qsappSetting crypto key for log file secure signing: success
2INFOSecurity.Proxy.Qlik.Sense.Common.Security.Cryptography.SecretsKey9WIN-8JETLOID025\qsappretrieving symmetric key from cert: success
3INFOSecurity.Proxy.Qlik.Sense.Common.Security.Cryptography.CryptoKey9WIN-8JETLOID025\qsappsetting crypto key: success
4WARNSecurity.Proxy.Qlik.Sense.Communication.Security.CertSetup9WIN-8JETLOID025\qsappNo private key found for certificate 'CN=sense.meubi.com.br, OU=PositiveSSL, OU=Domain Control Validated' (1F284854608E80E245D7B640849BB03FE819048F)
5WARNSecurity.Proxy.Qlik.Sense.Communication.Security.CertSetup9WIN-8JETLOID025\qsappCouldn't find a valid ssl certificate with thumbprint 1f 28 48 54 60 8e 80 e2 45 d7 b6 40 84 9b b0 3f e8 19 04 8f
6WARNSecurity.Proxy.Qlik.Sense.Communication.Security.CertSetup9WIN-8JETLOID025\qsappReverting to default Qlik Sense SSLCertificate
INFOSecurity.Proxy.Qlik.Sense.Communication.Security.CertSetup9WIN-8JETLOID025\qsappSet certificate 'CN=WIN-8JETLOID025' (047E90CF18BF749E1EF503E674C2B90960D04E51) as SSL certificate presented to browser
1 Solution

Accepted Solutions
jaisoni_trp
Creator II
Creator II

I would check couple of things here:

a) Does the certificate have private key i.e. do you see a key icon in certificate?

b) Double check if its stored on correct location.

View solution in original post

8 Replies
jaisoni_trp
Creator II
Creator II

I would check couple of things here:

a) Does the certificate have private key i.e. do you see a key icon in certificate?

b) Double check if its stored on correct location.

jaisoni_trp
Creator II
Creator II

Per Qlik:

The definition of an invalid certificate is as follows:

  • The operating system considers the certificate to be too old or the certificate chain is incorrect or incomplete.
  • The Qlik Sense certificate extension (OID “1.3.6.1.5.5.7.13.3”) is missing or does not reflect the location of the certificate:
    • Current User/Personal certificate location: Client
    • Local Machine/Personal certificate location: Server
    • Local Machine/Trusted Root certificate location: Root
    • Current User/Trusted Root certificate location: Root
  • The server, client, and root certificates on the central node do not have a private key that the operating system allows them to access.
  • The server and client certificates are not signed by the root certificate on the machine.
Clever_Anjos
Employee
Employee
Author

>>a) Does the certificate have private key i.e. do you see a key icon in certificate?

Where should I find that icon?

jaisoni_trp
Creator II
Creator II

In MMC on the certificate. Capture.PNG

Clever_Anjos
Employee
Employee
Author

Here?

I don´t have that icon.

Could you kindly guide me how to create/obtain it?

Capturar.PNG

Clever_Anjos
Employee
Employee
Author

Closing the topic.

The certificate was issued without the private key.

Clever_Anjos
Employee
Employee
Author

a) Does the certificate have private key i.e. do you see a key icon in certificate?

Morteza561
Contributor II
Contributor II

I had a weird problem about this error and I've finally resovled it!

This was what I was getting in Security_Proxy Log:


Current version of .NET does not support the private key algorithm for certificate

 

I've got my SSL from Let's Encrypt Certbot and the problem was (according to the documentation)  key file's encryption algorythm!

https://eff-certbot.readthedocs.io/en/stable/using.html

 

I've came up with the idea of changing the algorithm by adding "--key-type rsa" to the end of my command and it worked like charm!

full command:

certbot certonly --manual --preferred-challenges=dns --email xxx@yyy.com --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.example.com --key-type rsa