Qlik Sense Hub and Management Console down - Bootstrap fails Newly created client certificate not valid; root certificate can't sign new certificates

Daniele_Purrone — Fri, 19 Aug 2022 06:23:20 GMT

The Qlik Sense Enterprise hub and Management Console are down. The Qlik Sense Repository Service (QRS) startup procedure does not complete.

If recreating the certificates based on How to recreate or just delete certificates in Qlik Sense does not resolve the issue.

Manually running the bootstrap fails with error:

[ERROR] Fatal exception during bootstrap: Newly created client certificate not valid; root certificate can't sign new certificates; see logs at Qlik.Sense.Communication.Security.CertSetup.ThrowAndLogFatalRootError(String msg)
at Qlik.Sense.Common.Security.SecuritySetup.SetupCA(String externalRootCertThumbprint, ICipherAlgorithm secretsAlgorithm, Boolean forceNewSetup)
at Repository.Core.Bootstrap.BootstrapHandler.Install(BootstrapState bootstrapState)
at Repository.Core.Bootstrap.BootstrapHandler.Bootstrap(BootstrapState bootstrapState)
at Repository.QRSMain.Bootstrap()
at Repository.QRSMain.Main()
Bootstrap mode has terminated. Press ENTER to exit..

Joining a Rim node fails with incorrect password, even if the password was copied or typed correctly:

Other errors in the Qlik Sense Logs include:

Certificates are not correctly installed

20201022T144326.598+0200 ERROR APP03 Security.Repository.Qlik.Sense.Communication.Security.Certificates.CertUtil 44 c0cde05d-6354-46fb-a249-d7de93aad09c HELD-W2K\QlikService When accessing certificate store (loc:LocalMachine, name:Root):

Duplicate or invalid root certificates are not allowed;

Waiting for certificates and hostname

WARN APP03 Security.Printing.Qlik.Sense.Communication.Security.Certificates.CertValidator 4 886518e5-f503-418c-b441-094d4ed4fc2f HELD-W2K\QlikService Certificate 'CN=QlikClient' (D24E4965A56C5D0764E9B5255670F38B01F8D9EF) is invalid because it was not signed correctly by 886518e5-f503-418c-b441-094d4ed4fc2f

Environment:

Qlik Sense Enterprise, all versions

Resolution:

This issue is caused by access issues when attempting to access/recreate the certificates and/or other GPOs that affect certificates.

Example scenarios:

A GPO is in place which enforces duplication of the hostname-CA certificate.

A GPO is in place which prevents the creation of a new certificate.

It may also be possible that access to the certificate is not granted. In which case the following may help:

Stop the services
Launch Regedit
Locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb.
Add ProtectionPolicy DWORD 32-bit with the value of 1.
Run the bootstrap process again by running "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -standalone -restorehostname from an elevated (Run as Administrator) command prompt
Start the services

In addition to get rid of the error with the RIM Nodes please add the same key on all the RIM Nodes then restart the machines and redistribute the certificates.

article Qlik Sense Hub and Management Console down - Bootstrap fails Newly created client certificate not valid; root certificate can't sign new certificates in Official Support Articles

Qlik Sense Hub and Management Console down - Bootstrap fails Newly created client certificate not valid; root certificate can't sign new certificates

Resolution:

Related Content: