ERR_SSL_KEY_USAGE_INCOMPATIBLE Error After Qlik Replicate Windows Patch/Upgrade

Dana_Baldwin · Oct 3, 2024 1:53:17 AM

After upgrading from Windows 10 to Windows 11, or applying certain patches to Windows Server 2016, Qlik Replicate may not load in the browser.

The following error is displayed:

ERR_SSL_KEY_USAGE_INCOMPATIBLE

Data Integration Products November 2021.11 or lower require a manual generation of SSL certificates for use. See Step 5 (options one and two) in the solution provided below.

Environment

Qlik Replicate 2022.11 (may happen with other versions)
Qlik Compose 2022.5 (may happen with other versions)
Qlik Enterprise Manager 2022.11 (may happen with other versions)
Use of the self-signed SSL certificate
Windows 11
Windows server 2016

Resolution

This issue has to do with the self-signed SSL certificate. Deleting the existing one and allowing Qlik Replicate/Compose/Enterprise Manager to regenerate them resolves the issue.

Stop the services for all affected software. Example: AttunityReplicateUIConsole, Qlik Compose or Qlik Enterprise Manager.
(This step only applies to Qlik Replicate) Rename the data folder under the SSL folder (\Program Files\Attunity\Replicate\data\ssl\data)
Delete self-signed certificates in the management console
1. Open a command prompt and enter MMC to open the console (on Windows Server, open "Manage computer certificates")
2. Click the File drop-down menu and select Add/Remove snap-in
3. Select Certificates and click Add
4. Select Computer account. Click Next, then click Finish.
5. Click OK to close the Add or Remove Snap-ins window
6. Open Certificates and navigate to Local Computer, then Personal, then Certificates
7. In the list of certificates shown, select the certificates where the "Issued To" value and the "Issued By" value equal your computer name and delete them.
8. Close the Management Console.
Next we will remove the reference to the self-signed certificate in Qlik Replicate:
1. Open a command prompt As Administrator
  
  For Qlik Replicate:
  
  Navigate to the ..\Attunity\Replicate\bin directory and then run the following command:
  
  RepUiCtl.exe certificate clean
  
  For Qlik Compose:
  Navigate to the ..\Qlik\Compose\bin directory and then run the following command:
  
  ComposeCtl.exe certificate clean
  
  For Qlik Enterprise Manager:
  Navigate to the ..\Attunity\Enterprise Manager\bin directory and then run the following command:
  
  aemctl.exe certificate clean
2. Run the command: netsh http delete sslcert ipport=0.0.0.0:443
  
  Note, that you may get a message that the command failed in the event there are no certificates bound to the port. This message can be ignored.
Add either a self-signed Certificate or a trusted and signed Organization Certificate.

Option One: Trusted and Signed Certificate. Generate an organization certificate that must be a correctly configured SSL PFX file containing both the private key and the certificate.

Option Two: Self-Signed Certificate. Generate a self-signed certificate on the server to replace the existing self-signed certificate. The provided PowerShell examples generate an SSL certificate for 10 years.

Run the following in PowerShell:

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname <FQDN> -NotAfter (Get-Date).AddYears(10)
Once the certificates have been obtained or generated, follow the instructions for the individual product section on how to import a certificate:
Start the services.
You may need to clear browser cache/cookies & etc. before you can access the web page outside of incognito mode.

Qlik Replicate will now allow you to open the user interface once again.

If users still cannot log in and are returned to the log in prompt at each attempt, see How to change the Qlik Replicate URL on a Windows host.
It is recommended to use your organization certificates

Related Content:

How to change the Qlik Replicate URL on a Windows host

Google Chrome Community

Microsoft Answers

KellyHobson · ‎2023-07-20

Thanks @Dana_Baldwin ! This helped on my Windows machine where post Windows 11 upgrade I could not get my Replicate console to display.

I was seeing this message in the UI.

After following these steps, resolved the issue.

rickrliu · ‎2023-08-01

Hi @Dana_Baldwin,

I got the same error from Replicate and Compose after Windows 11 installed on my laptop (previous version is Windows 10). I followed the steps in this post; and got the ERR_SSL_KEY_USAGE_INCOMPATIBLE issue resolved. A new issue is that I cannot log in to my local Replicate and Compose running on Windows 11 (the login window keeps pupping up to ask use name and password). The same user name and password are working well in remotely logging in my team shared Replicate and Compose running on Windows 10. I also do not have any issue of using the same user name and password in logging in other applications on my laptop.

My Replicate version is 2021.11.0.266; and my Compose version is 2021.8.0.725. Could you advise if this is a known issue? Do you have a solution to the issue?

Thanks,

Rick

Hrishikesh · ‎2023-08-02

Hi @Dana_Baldwin , multiple users are affected in our company due to a recent move to Windows 11, after following the steps above, the UI is still not able to authenticate the existing users

We have a case # 00101855 created for this issue.

Can you please follow up on priority with this?

Sonja_Bauernfeind · ‎2023-08-02

Hello @Hrishikesh

Someone will be in touch with you regarding the open ticket. Please note that knowledge articles are not intended for immediate support, and a ticket was the right way to go if you require priority assistance.

All the best,
Sonja

Dana_Baldwin · ‎2023-08-02

Hi @rickrliu

I am not personally aware of this being a known issue. I think the best course if action is for you to open a support case to troubleshoot the issue.

Thanks,

Dana

Steve_Nguyen · ‎2023-08-02

@Hrishikesh

the issue with the windows popup on the login for credential, so like a windows security on loopback.

see the below article: on how to disable loopback

https://community.qlik.com/t5/Official-Support-Articles/How-to-change-the-Qlik-Replicate-URL-on-a-Wi...

NakulanR · ‎2023-11-19

Hi Support,

We have tried the above steps however it hasn't worked, and we are still seeing the ERR_SSL_KEY_USAGE_INCOMPATIBLE error when trying to access Replicate.

The environment where this is being done has both Qlik Replicate and Qlik Enterprise Manager installed on the same machine. Do the steps need to be carried out differently as a result?

When looking at the certificates in the Management Console, there are 2 listed, one of which we believe is the certificate for QEM. Is there any way to identify the certificate being used by Replicate?

Any feedback is greatly appreciated

Regards,

Nak

Dana_Baldwin · ‎2023-11-20

Hi @NakulanR

Please run: netsh http show sslcert ,, and check the hash to match with the cert hash in the mmc store

Manjunathps · ‎2023-11-23

Hi Team,

I'm facing similar issue with QEM Nov 2021, I'm able to browse QEM from the server where it is installed, but I' not able to browse from other servers where user access is granted.

Please help in this.

Regards,

Manjunath

NakulanR · ‎2023-11-24

Hi @Manjunathps ,

In our case, clearing the browser cache in addition to the resolution steps at the start of this article helped to resolve the issue.

ERR_SSL_KEY_USAGE_INCOMPATIBLE Error After Qlik Replicate Windows Patch/Upgrade