Skip to main content
Announcements
Talend Data Catalog 8.0 End of Support: December 31, 2024 Get Details

How to recreate or just delete certificates in Qlik Sense - No access to QMC or Hub

No ratings
cancel
Showing results for 
Search instead for 
Did you mean: 
Bjorn_Wedbratt
Employee
Employee

How to recreate or just delete certificates in Qlik Sense - No access to QMC or Hub

Last Update:

Dec 11, 2023 10:20:39 AM

Updated By:

Sonja_Bauernfeind

Created date:

Aug 25, 2020 4:33:20 AM

 

There may be several different symptoms associated with a need to regenerate and redistribute certificates;

  • After installing, renewing, or changing a third-party certificate for use with Qlik Sense the Qlik Management Console (QMC) and Hub may become inaccessible leading to Page Cannot Be Displayed error.

    This article does not cover the use of a 3rd party certificate for end user Hub access, but the certificates used for communication between the Sense services. For recommendation on how to use a 3rd party certificate for end user access, see How to: Change the certificate used by the Qlik Sense Proxy to a custom third party certificate
  • In the Qlik Sense Proxy trace logs, the last line may be indicating waiting for certificates to be installed or similar. In addition, even though Proxy service remains running, port 443 (by default) will fail to bind and start listening for requests.

  • Qlik Sense may sometimes fail to create the correct certificates during installation if there are old/unused certificates left from a previous installation.  Also, certs can become corrupted, or newly installed certificates configured to be used may not be compatible. See Qlik Sense: Compatibility information for third-party SSL certificates and Requirements for configuring Qlik Sense with SSL.
Do not perform the below steps in a production environment, without first doing a backup of the existing certificates. Certificates are being used to encrypt information in the QRS database, such as connection strings. By recreating certificates, you may lose information in your current setup.
By removing the old/bad certificates, and restarting the Qlik Sense Repository Service (QRS), the correct certificates can be recreated by the service. If trying to remove certs, only the removal steps need to be followed.

The instructions are to be carried out on the Qlik Sense Central Node. In the case of a multi-node deployment, verify which node is the central node before continuing.

  1. Open Qlik Sense Management Console (QMC)
  2. Navigate to Nodes section
  3. Add the column Central Node column through Column selector

If the current central node role is held by the failover, you need to fail the role back to the original central node by shutting down all the nodes (this implies downtime). Then start the original central node, reissue the certificates on it with this article, and when the central node is working apply the article Rim node not communicating with central node - certificates not installed correctly on each Rim node.

 

Step by Step instructions:

Test all data connections after the certificates are regenerated.  It is likely that data connections with passwords will fail.  This is because passwords are saved in the repository database with encryption.  That encryption is based on a hash from the certificates.  When the Qlik Sense signed certificates are regenerated, this hash is no longer valid, and the saved data connection passwords can not be decrypted.  The customer must re-enter the passwords in each data connection and save.  See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"
  1. Log on to the Central node using the Qlik Service Account and navigate to the 'Services' and to the Qlik Services.

  2. Stop the QRS (this will also stop the other services; however, make sure the postgresql-64-12 or Qlik Sense Repository Database is still running).

    User-added image
     
  3. Open Microsoft Management Console (MMC). 

    Important: Execute the MMC as the account configured to run the services (using Run as a different user [Ctrl-Shift & Right click on the exe to see option]... )

  4. Add the following snap-ins for Certificates:

    • My user account
    • Local Computer account

  5. In Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates, delete the Self-Signed certificates created by Qlik Sense, issued by HOSTNAME.domain-CA*

    *Where HOSTNAME is the machine name of the server in question and domain is the domain of the server.
    So for example, QlikServer1 is the computer hostname and the domain is domain.local, the certificate will be issued by QlikServer1.domain.local-CA
     
  6. In Certificates (Local Computer) > Personal > Certificates, delete the Self-Signed certificate issued by HOSTNAME.domain-CA

  7. In Certificates > Current User > Personal > Certificates, delete the Self-Signed certificate named QlikClient
     
  8. Go to the folder C:\ProgramData\Qlik\Sense\Repository, delete the folder 'Exported Certificates'

  9. Run this command from an elevated (admin) command prompt to create new certificates:

    "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname 

    Note:
    If the script doesn't get to "Bootstrap mode has terminated. Press ENTER to exit.." and gets stuck at "[INFO] Entering main startup phase.." start the "Qlik Sense dispatcher service" and it will get to the end)

  10. Verify the new certificates have been created by REFRESHING the screen for each certificate location, and then start the rest of the Qlik Sense services. In addition, verify that duplicate or multiple certificates were not created (rarely occurs). If so, the article will need to be followed again by starting with the deletion of the certificates.

User-added image


There is no need to perform a full reinstall to propagate new certificates. Certificates are created by the QRS automatically if not found during the service startup process.

 

For Qlik Sense multi-cloud deployment (September 2020 or later):

The steps in this section must be performed after recreating certificates as described above.
  1. Start Qlik Sense Repository Database service on CENTRAL NODE, or PostgreSQL Server service if running a dedicated instance of PostgreSQL database server.

  2. Using pgAdmin tool or any other database client, connect to SenseServices database. (IMPORTANT: the below query needs to be executed on the SenseServices DB)

  3. Execute following query against SenseServices database:

    DROP TABLE IF EXISTS hybrid_deployment_service.mt_doc_asymmetrickeysencrypt CASCADE;

     

  4. Navigate to Deployments page of Multi-cloud Setup Console (MSC).

  5. Delete and re-add any existing deployments by following the steps mentioned in Distributing apps from Qlik Sense Enterprise on Windows to Qlik Sense Enterprise SaaS  and Distributing apps to Qlik Sense Enterprise on Kubernetes.

 

Node.js certificates

After the certificates have been recreated and then redistributed to all of the rim nodes, the node.js certificates stored locally on the central and all rim nodes also need to be recreated. Follow the below steps to perform this action:

  1. Stop all Qlik Sense services

  2. In Windows File Explorer, navigate to %ProgramData%\Qlik\Sense\Repository\Exported_certificates

  3. Back up the Local certificates directory and then delete it

  4. Restart the Qlik Sense services
Test all data connections after the certificates are rebuilt.  It is likely that data connections with passwords will fail.  This is because passwords are saved in the repository database with encryption.  That encryption is based on a hash from the certs.  When the Qlik Sense self-signed cert is rebuilt, this hash is no longer valid, and so the saved data connection passwords will fail.  The customer must re-enter the passwords in each data connection and save.  See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"

 

Self Signed Certificates:

Notice if using an official Signed Server Certificate from a trusted Certificate Authority

The certificate information will also be in the QMC, under Proxies, with the Certificate thumbprint listed. If trying to merely remove all aspects of certs, this will need to be removed as well.

  1. Go to Proxies 

  2. Select your Proxy and click Edit

  3. In the right pane, select Security

  4. Scroll down and locate "SSL browser certificate thumbprint" in the Security section to locate the thumprint info.

 

If the Central Node repository service hanging in the logs:

  1. Open C:\ProgramData\Qlik\Sense\Log\Repository\Trace

  2. Look for this Example "API service initialized with 1501 available methods".  This is Central Node. 

  3. If you see this Example "API service initialized with 2 available methods". This is a Rim node. 

  4. For Central Node you should see as an example ""API service initialized with 1501 available methods". 

  5. Running this command "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname will resolved this issue.

If the above does not work, see Qlik Sense Enterprise Hub and Qlik Management Console (QMC) down - bootstrap fails with "Newly creat...

Labels (2)
Comments
qlikthomas1
Contributor
Contributor

I Tried This above New Solution the certificates in the personal got created new but I couldn't see qlik certificate in "Trusted Root Certification Authorities"
@Sonja_Bauernfeind 
@Bjorn_Wedbratt 

Sonja_Bauernfeind
Digital Support
Digital Support

Hello @qlikthomas1 

Verify that all services were correctly restarted. If the certificate still has not been created, review the Qlik Sense Repository Trace logs for possible errors: C:\ProgramData\Qlik\Sense\Log\Repository\Trace

All the best,
Sonja 

RanOuerg
Creator
Creator

Hello @Sonja_Bauernfeind  @Bjorn_Wedbratt 

I'm planning an upgrade from Qlik sense August 2022 to Qlik sense February 2024 

I have an issue: i don't have the password for my qlik sense certificate so i can't do the backup (Export)

Is there any way to solve this issue ?

If i delete the certificate QlikClient and i run the command to generate automatically is it safe  and will it  solve my issue ?

 

I'm looking for a solution so i can back up my qlik sense environment 

 

Thank you in advance.

Version history
Last update:
‎2023-12-11 10:20 AM
Updated by: