Skip to main content

Qlik

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Join us at Qlik Connect for 3 magical days of learning, networking,and inspiration! REGISTER TODAY and save!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Gysbert_Wassenaar
MVP
MVP
‎2017-10-23 03:06 AM

wrong ssl certificate used for login page

Hello,

I have qlik sense server that's configured with a 3rd party ssl certificate. After logging in that certificate is used and the browser is happy with the trustworthy certificate.

However when logging in the form login page (https://server.domain.com:4244/form/?targetId=xyz....etc‌) uses the self-signed certificatate instead of the proper certificate. This is not nice, because now users see warnings in the browser that this an insecure site.

On another site everything works correctly and I don't see differences in how the proxy and virtual proxies are configured. Any help and hints are appreciated.


talk is cheap, supply exceeds demand
3,442 Views
0 Likes
1 Solution

Accepted Solutions
simon_minifie
Partner - Creator III
Partner - Creator III
‎2017-10-23 07:22 AM

In response to Gysbert_Wassenaar

Ok, have you tried removing that binding and applying the signed certificate to it?

View solution in original post

2,476 Views
13 Replies
kaushiknsolanki
Partner Ambassador/MVP
Partner Ambassador/MVP
‎2017-10-23 03:15 AM

Hi,

Not sure but couple of checks.

1. DNS entry.

2. Host name mapping defined in hosts file of windows server.

Regards,

Kaushik Solanki

Please remember to hit the 'Like' button and for helpful answers and resolutions, click on the 'Accept As Solution' button. Cheers!
2,469 Views
0 Likes
Gysbert_Wassenaar
MVP
MVP
‎2017-10-23 03:25 AM
Author

In response to kaushiknsolanki

Nope, that's not it. The domain name is fine. It's only on the login page that Qlik Sense uses its own self-signed certificate. Thanks anyway.


talk is cheap, supply exceeds demand
2,469 Views
0 Likes
kaushiknsolanki
Partner Ambassador/MVP
Partner Ambassador/MVP
‎2017-10-23 03:49 AM

In response to Gysbert_Wassenaar

What I understand is when a request is made from browser to Qlik Sense, it checks for the Proxy SSL certificate if it is not available or access is not allowed then it will use the self signed certificate.

What you think on this.

If this is the case then Help site says below.

When editing a proxy certificate as a user without admin privileges, you need to run the repository in bootstrap mode before the changes take effect.


Regards,

Kaushik Solanki

Please remember to hit the 'Like' button and for helpful answers and resolutions, click on the 'Accept As Solution' button. Cheers!
2,469 Views
0 Likes
Gysbert_Wassenaar
MVP
MVP
‎2017-10-23 04:11 AM
Author

In response to kaushiknsolanki

Yeah ok. But the QS proxy does have access to the SSL certificate. After logging in it uses that certificate and the browser is happy. It's only on the login page that the self-signed certificate is used. It's like it uses the right certificate for port 443 but still uses the self-signed certificate for port 4244. And this does not happen on another QS site we have. There the self-signed certificate is never presented to the users browser.


talk is cheap, supply exceeds demand
2,476 Views
0 Likes
simon_minifie
Partner - Creator III
Partner - Creator III
‎2017-10-23 04:38 AM

Hi Gysbert,

The SSL certificate is bound to port 443 which is why it's presented there.

If you want the same for the form login page, you will also need to bind it to 4244. You are specifying the port number in the URL, so you can't expect it to use the certificate bound to port 443.

best regards,

Simon

2,476 Views
0 Likes
Gysbert_Wassenaar
MVP
MVP
‎2017-10-23 04:54 AM
Author

In response to simon_minifie

So why does it work on my other qlik sense site?


talk is cheap, supply exceeds demand
2,476 Views
0 Likes
simon_minifie
Partner - Creator III
Partner - Creator III
‎2017-10-23 05:09 AM

In response to Gysbert_Wassenaar

Actually, that's a very good point. It should automatically bind to both ports.

Open up a command prompt on the server and have a look at the 'netsh http show sslcert'

The same certificate hash should be bound to 443 and 4244

2,476 Views
Gysbert_Wassenaar
MVP
MVP
‎2017-10-23 07:06 AM
Author

In response to simon_minifie

That's what I thought. But I when I checked the the self-signed certificate was (and is) bound to port 4244.


talk is cheap, supply exceeds demand
2,476 Views
0 Likes
simon_minifie
Partner - Creator III
Partner - Creator III
‎2017-10-23 07:22 AM

In response to Gysbert_Wassenaar

Ok, have you tried removing that binding and applying the signed certificate to it?

2,477 Views