Skip to main content
Announcements
Talend Data Catalog 8.0 End of Support: December 31, 2024 Get Details

How to recreate or just delete certificates in Qlik Sense - No access to QMC or Hub

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Bjorn_Wedbratt
Employee
Employee

How to recreate or just delete certificates in Qlik Sense - No access to QMC or Hub

Last Update:

Dec 11, 2023 10:20:39 AM

Updated By:

Sonja_Bauernfeind

Created date:

Aug 25, 2020 4:33:20 AM

 

There may be several different symptoms associated with a need to regenerate and redistribute certificates;

  • After installing, renewing, or changing a third-party certificate for use with Qlik Sense the Qlik Management Console (QMC) and Hub may become inaccessible leading to Page Cannot Be Displayed error.

    This article does not cover the use of a 3rd party certificate for end user Hub access, but the certificates used for communication between the Sense services. For recommendation on how to use a 3rd party certificate for end user access, see How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate
  • In the Qlik Sense Proxy trace logs, the last line may be indicating waiting for certificates to be installed or similar. In addition, even though Proxy service remains running, port 443 (by default) will fail to bind and start listening for requests.

  • Qlik Sense may sometimes fail to create the correct certificates during installation if there are old/unused certificates left from a previous installation.  Also, certs can become corrupted, or newly installed certificates configured to be used may not be compatible. See Qlik Sense: Compatibility information for third-party SSL certificates and Requirements for configuring Qlik Sense with SSL.
Do not perform the below steps in a production environment, without first doing a backup of the existing certificates. Certificates are being used to encrypt information in the QRS database, such as connection strings. By recreating certificates, you may lose information in your current setup.
By removing the old/bad certificates, and restarting the Qlik Sense Repository Service (QRS), the correct certificates can be recreated by the service. If trying to remove certs, only the removal steps need to be followed.

The instructions are to be carried out on the Qlik Sense Central Node. In the case of a multi-node deployment, verify which node is the central node before continuing.

  1. Open Qlik Sense Management Console (QMC)
  2. Navigate to Nodes section
  3. Add the column Central Node column through Column selector

If the current central node role is held by the failover, you need to fail the role back to the original central node by shutting down all the nodes (this implies downtime). Then start the original central node, reissue the certificates on it with this article, and when the central node is working apply the article Rim node not communicating with central node - certificates not installed correctly on each Rim node.

 

Step by Step instructions:

Test all data connections after the certificates are regenerated.  It is likely that data connections with passwords will fail.  This is because passwords are saved in the repository database with encryption.  That encryption is based on a hash from the certificates.  When the Qlik Sense signed certificates are regenerated, this hash is no longer valid, and the saved data connection passwords can not be decrypted.  The customer must re-enter the passwords in each data connection and save.  See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"
  1. Log on to the Central node using the Qlik Service Account and navigate to the 'Services' and to the Qlik Services.

  2. Stop the QRS (this will also stop the other services; however, make sure the postgresql-64-12 or Qlik Sense Repository Database is still running).

    User-added image
     
  3. Open Microsoft Management Console (MMC). 

    Important: Execute the MMC as the account configured to run the services (using Run as a different user [Ctrl-Shift & Right click on the exe to see option]... )

  4. Add the following snap-ins for Certificates:

    • My user account
    • Local Computer account

  5. In Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates, delete the Self-Signed certificates created by Qlik Sense, issued by HOSTNAME.domain-CA*

    *Where HOSTNAME is the machine name of the server in question and domain is the domain of the server.
    So for example, QlikServer1 is the computer hostname and the domain is domain.local, the certificate will be issued by QlikServer1.domain.local-CA
     
  6. In Certificates (Local Computer) > Personal > Certificates, delete the Self-Signed certificate issued by HOSTNAME.domain-CA

  7. In Certificates > Current User > Personal > Certificates, delete the Self-Signed certificate named QlikClient
     
  8. Go to the folder C:\ProgramData\Qlik\Sense\Repository, delete the folder 'Exported Certificates'

  9. Run this command from an elevated (admin) command prompt to create new certificates:

    "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname 

    Note:
    If the script doesn't get to "Bootstrap mode has terminated. Press ENTER to exit.." and gets stuck at "[INFO] Entering main startup phase.." start the "Qlik Sense dispatcher service" and it will get to the end)

  10. Verify the new certificates have been created by REFRESHING the screen for each certificate location, and then start the rest of the Qlik Sense services. In addition, verify that duplicate or multiple certificates were not created (rarely occurs). If so, the article will need to be followed again by starting with the deletion of the certificates.

User-added image


There is no need to perform a full reinstall to propagate new certificates. Certificates are created by the QRS automatically if not found during the service startup process.

 

For Qlik Sense multi-cloud deployment (September 2020 or later):

The steps in this section must be performed after recreating certificates as described above.
  1. Start Qlik Sense Repository Database service on CENTRAL NODE, or PostgreSQL Server service if running a dedicated instance of PostgreSQL database server.

  2. Using pgAdmin tool or any other database client, connect to SenseServices database. (IMPORTANT: the below query needs to be executed on the SenseServices DB)

  3. Execute following query against SenseServices database:

    DROP TABLE IF EXISTS hybrid_deployment_service.mt_doc_asymmetrickeysencrypt CASCADE;

     

  4. Navigate to Deployments page of Multi-cloud Setup Console (MSC).

  5. Delete and re-add any existing deployments by following the steps mentioned in Distributing apps from Qlik Sense Enterprise on Windows to Qlik Sense Enterprise SaaS  and Distributing apps to Qlik Sense Enterprise on Kubernetes.

 

Node.js certificates

After the certificates have been recreated and then redistributed to all of the rim nodes, the node.js certificates stored locally on the central and all rim nodes also need to be recreated. Follow the below steps to perform this action:

  1. Stop all Qlik Sense services

  2. In Windows File Explorer, navigate to %ProgramData%\Qlik\Sense\Repository\Exported_certificates

  3. Back up the Local certificates directory and then delete it

  4. Restart the Qlik Sense services
Test all data connections after the certificates are rebuilt.  It is likely that data connections with passwords will fail.  This is because passwords are saved in the repository database with encryption.  That encryption is based on a hash from the certs.  When the Qlik Sense self-signed cert is rebuilt, this hash is no longer valid, and so the saved data connection passwords will fail.  The customer must re-enter the passwords in each data connection and save.  See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"

 

Self Signed Certificates:

Notice if using an official Signed Server Certificate from a trusted Certificate Authority

The certificate information will also be in the QMC, under Proxies, with the Certificate thumbprint listed. If trying to merely remove all aspects of certs, this will need to be removed as well.

  1. Go to Proxies 

  2. Select your Proxy and click Edit

  3. In the right pane, select Security

  4. Scroll down and locate "SSL browser certificate thumbprint" in the Security section to locate the thumprint info.

 

If the Central Node repository service hanging in the logs:

  1. Open C:\ProgramData\Qlik\Sense\Log\Repository\Trace

  2. Look for this Example "API service initialized with 1501 available methods".  This is Central Node. 

  3. If you see this Example "API service initialized with 2 available methods". This is a Rim node. 

  4. For Central Node you should see as an example ""API service initialized with 1501 available methods". 

  5. Running this command "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname will resolved this issue.

If the above does not work, see Qlik Sense Enterprise Hub and Qlik Management Console (QMC) down - bootstrap fails with "Newly creat...

Labels (2)
Comments
QFabian
Specialist III
Specialist III

thanks @Bjorn_Wedbratt , another good tips

diagonjope
Partner - Creator III
Partner - Creator III

Hi @Bjorn_Wedbratt ,

First of all, thanks for these instructions.

I've noticed that the instructions in the text description add the snap-ins for both Current User and Local Computer, but the video instructions only uses certificates from the Current User section.  Is this just enough?  Are the certificates in the Local Computer section just copies of the ones in the Current User section that are copied during the certificate regeneration process?

Please advise - also, please tag my user name so that I get a msg when you reply.

Cheers,

++José

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @diagonjope 

Let me look into this for you. I will get back to you once I received clarification and gave this a test.

All the best,
Sonja 

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @diagonjope 

We have confirmed that you're required to delete the certificates in both stores. Current User and Local Computer.

All the best,
Sonja 

diagonjope
Partner - Creator III
Partner - Creator III
Thank you Sonja!
Purushothaman
Partner - Creator III
Partner - Creator III

Hi @Sonja_Bauernfeind,

For stopping services during bootstrap, should the Qlik Sense Service Dispatcher be stopped or continue to run?

Thank you!

 

 

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @Purushothaman 

The note we have regarding the Dispatcher is: If the script doesn't get to "Bootstrap mode has terminated. Press ENTER to exit.." and gets stuck at "[INFO] Entering main startup phase.." start the "Qlik Sense dispatcher service" and it will get to the end.

I hope this helps!

Otherwise, the service should be stopped.

All the best,
Sonja 

stevejoyce
Specialist II
Specialist II

In my qlik site, the issued by computer of the root certificate is not one of the central node candidates, i assume at some point it was and configured out.

Am I safe to perform these steps on the current active central node?  or do i need to re-elevate the old computer back as a failover candidate and failover to it?

stevejoyce
Specialist II
Specialist II

@Sonja_Bauernfeind - If you can please take a look at my last post, greatly appreciated.

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @stevejoyce 

There is currently not enough information available for Qlik to be able to respond accurately. 

Please gather the following information and post directly in the Deployment and Management forumwhere our active support agents and Qlik peers can assist:

  • Setup information (central node, rim nodes)
  • Versions of Qlik Sense used
  • Details about the scenario (which node is your central node, details about the certificates having been issued)
  • Issues you are seeing and which you are looking to resolve or what you are otherwise attempting to correct or achieve
  • Possible errors

All the best,
Sonja 

Version history
Last update:
‎2023-12-11 10:20 AM
Updated by: