Unlock a world of possibilities! Login now and discover the exclusive benefits awaiting you.
I am having an issue with the installation of a Qlik Data Gateway for Direct Access.
All the configurations seem to be working well, except the status still shows "disconnected."
Here are the logs showing an error:
5 2024-09-30 17:59:01 [Service ] [INFO ] Kid:
5 2024-09-30 17:59:01 [Service ] [WARN ] QCS production tenant, failed to verify CA bundle
5 2024-09-30 17:59:01 [Service ] [ERROR] Connection to xxxxx.xx.qlikcloud.com:443 failed
System.Net.WebSockets.WebSocketException (0x80004005): Unable to connect to the remote server
---> System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
---> System.Security.Authentication.AuthenticationException: The remote certificate was rejected by the provided RemoteCertificateValidationCallback.
at System.Net.Security.SslStream.CompleteHandshake(SslAuthenticationOptions sslAuthenticationOptions)
at System.Net.Security.SslStream.ForceAuthenticationAsync[TIOAdapter](Boolean receiveFirst, Byte[] reAuthenticationData, CancellationToken cancellationToken)
at System.Net.Http.ConnectHelper.EstablishSslConnectionAsync(SslClientAuthenticationOptions sslOptions, HttpRequestMessage request, Boolean async, Stream stream, CancellationToken cancellationToken)
--- End of inner exception stack trace ---
I am somewhat of a novice with SSL issues 😅. Could any of you help me with this?
Thank you!
Best regards.
I think you should disabled it, because the doc indicates that it should be enabled only for Qlik Cloud Government or if the customer use a proxy that replace the certificates.
In order to know this last point, you should display the certificate used in the browser, on the gateway server. If it's the Qlik one, you can disable the CA bundle feature, if not, we'll need to go further on the analysis.
Hi,
Please check this reference documentation: Configuration de Qlik Data Gateway - Direct Access | Aide Qlik Cloud, section "Activation du CA bundle"
Tip: The customer name (and tenant address) is displayed in your logs, maybe you should delete it for privacy/security ?
Regards
Hello Maxime,
Already done. I did all the configuration as described.
Regards
I think you should disabled it, because the doc indicates that it should be enabled only for Qlik Cloud Government or if the customer use a proxy that replace the certificates.
In order to know this last point, you should display the certificate used in the browser, on the gateway server. If it's the Qlik one, you can disable the CA bundle feature, if not, we'll need to go further on the analysis.
Hello @Antoine04 ,
> I am somewhat of a novice with SSL issues
Me too 🙂 And I believe I will never exit that phase xD
Anyway, it works fine for me but I don't know if we have the same CA or where/how you are retriving the CRL, and this might be a good starting point.
Maybe, the application is looking for a root that doesn't contain the CA certificate; QLIK uses DigiCert as issuer and it's quite common and world-distributed (in my laptop they are loaded as per default setup).
When working in an high secure environment, is common to maintain a own CA certificate and setup a CRL for your own application, anyway, the biggest problem would be the intermediate certificate validation - from some research I did in the past I saw that it's a industry problem but never dig deeper due to a lack of time.
As steps, I would try to check how the application is configured and where it looks for the CA Root Certificate and CRL ; you can try to run some troubleshooting command from the CLI of the affected host and post the results.
Hope it helps
Regards,