Qlik Sense Hub and Management Console down - Bootstrap fails Newly created client certificate not valid; root certificate can't sign new certificates

The Qlik Sense Enterprise hub and Management Console are down. The Qlik Sense Repository Service (QRS) startup procedure does not complete.

If recreating the certificates based on How to recreate or just delete certificates in Qlik Sense does not resolve the issue.

Manually running the bootstrap fails with error:

[ERROR] Fatal exception during bootstrap: Newly created client certificate not valid; root certificate can't sign new certificates; see logs    at Qlik.Sense.Communication.Security.CertSetup.ThrowAndLogFatalRootError(String msg)
   at Qlik.Sense.Common.Security.SecuritySetup.SetupCA(String externalRootCertThumbprint, ICipherAlgorithm secretsAlgorithm, Boolean forceNewSetup)
   at Repository.Core.Bootstrap.BootstrapHandler.Install(BootstrapState bootstrapState)
   at Repository.Core.Bootstrap.BootstrapHandler.Bootstrap(BootstrapState bootstrapState)
   at Repository.QRSMain.Bootstrap()
   at Repository.QRSMain.Main()
Bootstrap mode has terminated. Press ENTER to exit..

Joining a Rim node fails with incorrect password, even if the password was copied or typed correctly:

Other errors in the Qlik Sense Logs include:

Certificates are not correctly installed

20201022T144326.598+0200    ERROR    APP03    Security.Repository.Qlik.Sense.Communication.Security.Certificates.CertUtil    44    c0cde05d-6354-46fb-a249-d7de93aad09c    HELD-W2K\QlikService    When accessing certificate store (loc:LocalMachine, name:Root):     

Duplicate or invalid root certificates are not allowed;

Waiting for certificates and hostname

WARN    APP03    Security.Printing.Qlik.Sense.Communication.Security.Certificates.CertValidator    4    886518e5-f503-418c-b441-094d4ed4fc2f    HELD-W2K\QlikService    Certificate 'CN=QlikClient' (D24E4965A56C5D0764E9B5255670F38B01F8D9EF) is invalid because it was not signed correctly by 886518e5-f503-418c-b441-094d4ed4fc2f

Environment: 

• Qlik Sense Enterprise, all versions

Resolution:

This issue is caused by access issues when attempting to access/recreate the certificates and/or other GPOs that affect certificates. 

Example scenarios:

A GPO is in place which enforces duplication of the hostname-CA certificate.

or

A GPO is in place which prevents the creation of a new certificate.

It may also be possible that access to the certificate is not granted. In which case the following may help:

1. Stop the services
2. Launch Regedit
3. Locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb.
4. Add ProtectionPolicy DWORD 32-bit with the value of 1.
5. Run the bootstrap process again by running "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -standalone -restorehostname from an elevated (Run as Administrator) command prompt
6. Start the services

In addition to get rid of the error with the RIM Nodes please add the same key on all the RIM Nodes then restart the machines and redistribute the certificates.

Related Content:

• How to recreate or just delete certificates in Qlik Sense - No access to QMC or Hub