Your connection is not private

balajibc64 · ‎2023-12-31

Hi, we are using Qlik Sense with Qlik NPrinting. When we try to access the Qlik Nprinting URL its showing warning like "your connection is not private". Then I opened the developer tool and checked under security tab, then its shows

"The page is not secure (broken HTTPS)" Below

Certificate - Subject Alternative name missing

Certificate - missing (here its showing like "err_cert_comm_name_invalid") .

any one suggest pls?

Note: Because of this first time URL is not working, then from advance If I clicked the URL then it is working.

Both certificate installed at same day in the Qlik Sense and Qlik NPrinting.

Anil_Babu_Samineni · ‎2024-01-07

@balajibc64 Hello, Please explain the issue you have. If this is just button for on demand, Make sure you have added Trusted origin.

Here, You have to do few things.

Please add you Qlik sense FQDN, Example if this is your QS url, https://URLofQliksense

and it must be added two another N-Printing as well, an example.

1) https://URLofQlikNPrinting

2) https://Yourfullservername

Best Anil, When applicable please mark the correct/appropriate replies as "solution" (you can mark up to 3 "solutions". Please LIKE threads if the provided solution is helpful

View solution in original post

Lech_Miszkiewicz · ‎2024-01-09

HI @balajibc64

you would use Open SSL to convert PFX certificate file to CRT and KEY file. I assume you have already PFX certificate file purchased for FQDN/or wildcard of your prod nprinting server?

If you not familiar with certificates then ask your network admin to convert those files for you it will save you a hussle understing what is what. The whole conversation could be described in following steps:

1.get a wildcard certificate for your domain with private key in pfx format (for example Cert.pfx file)

2.install OpenSSL (on NPrinting server or your machine)

3.copy Cert.pfx" to "C:\OpenSSL-Win64\bin" folder and run below commands from that location.

openssl pkcs12 -in Cert.pfx -nocerts -out NPrinting-Decrypted.key

openssl pkcs12 -in Cert.pfx -clcerts -nokeys -out NPrinting.crt

openssl rsa -in NPrinting-Decrypted.key -out NPrinting.key

as result you will get NPrinting.crt and NPrinting.key file (with decrypted key). those files need to be copied to following folders (the same files copied to both of the folders below) for admin console and news stand:

C:\ProgramData\NPrinting\newsstandproxy

C:\ProgramData\NPrinting\webconsoleproxy

In above mentioned folders there are "app.conf" files which have to be modified. Find this line and modify it to point to your certificate

http.sslcert=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.crt

http.sslcert=${ProgramData}\NPrinting\newsstandproxy\NPrinting.crt

restart nprinting web server

use FQDN to access nprinting console. Connection should be secure with valid trusted 3rd party certificate

That is all what it takes

cheers Lech, When applicable please mark the correct/appropriate replies as "solution" (you can mark up to 3 "solutions". Please LIKE threads if the provided solution is helpful to the problem.

View solution in original post

Lech_Miszkiewicz · ‎2024-01-10

Hi @balajibc64

It is possible if it was installed with exportable option.

You can check if wildcard cert is intalled in Qlik Sense server (MMC--> add Snap-In etc...) and then export it from there, however you would need to make sure you also get a private key exported and it will depend on whether cert on Qlik Sense was installed with the option to allow for private key export or not.

It looks like for whatever reason you dont want to talk to your network admins otherwise you would get that cert weeks ago 😂😂😂

cheers

cheers Lech, When applicable please mark the correct/appropriate replies as "solution" (you can mark up to 3 "solutions". Please LIKE threads if the provided solution is helpful to the problem.

View solution in original post

Lech_Miszkiewicz · ‎2024-01-10

Hi @balajibc64 - I dont know. I hav enot done it that way. In bare theory it should work, but maybe there are other things I am missing.

This is not a scenario documented so you are trying to do something different than what is documented. Do it and see. We already gave you official/documented steps, you are wanting to do different steps. It is up to you.

cheers

cheers Lech, When applicable please mark the correct/appropriate replies as "solution" (you can mark up to 3 "solutions". Please LIKE threads if the provided solution is helpful to the problem.

View solution in original post

Anil_Babu_Samineni · ‎2023-12-31

@balajibc64 Subject alternative is really important. Can you see the certificate and check if any values or host details available in Subject alternative.

Hope your certificate created towards webserver?

Best Anil, When applicable please mark the correct/appropriate replies as "solution" (you can mark up to 3 "solutions". Please LIKE threads if the provided solution is helpful

balajibc64 · ‎2023-12-31

Hi @Anil_Babu_Samineni Yes webserver only. Can you pls suggest where and how to check subject alternative?

Anil_Babu_Samineni · ‎2024-01-01

@balajibc64 This is related to similar: https://community.qlik.com/t5/Official-Support-Articles/ERR-CERT-COMMON-NAME-INVALID-when-using-3rd-...

Please see if that helps .

Best Anil, When applicable please mark the correct/appropriate replies as "solution" (you can mark up to 3 "solutions". Please LIKE threads if the provided solution is helpful

balajibc64 · ‎2024-01-01

Hi @Anil_Babu_Samineni Thank you. I will check.

Quick Question:

This is needs to be done in Qlik NPrinting Server only right?

And I have checked while accessing the Qlik NPrinting Server URL,

"Attackers might be trying to steal your information from YYY.XXX.com.qa"

NET::ERR_CERT_AUTHORITY_INVALID

so for this we need to handle Subject alternative is important right ?

Whether I need to recreate a new certificate for create Subject alternative (or) using existing one itself enough ? Please suggest.

Anil_Babu_Samineni · ‎2024-01-01

@balajibc64 I wonder if you can modify the existing one because the communication needs to be send.

It doesn't matter if that is connected to tool (Because it is same for almost all FQDN hosts like your nprinting).

So, I would recommend to recreate and use it and let's see how that is helping you.

PS: Subject alternative depends how your certificate management configured in the backend (Meaning, in Webserver template if that is optional when they create it, I won't suspect this is due to this).

Best Anil, When applicable please mark the correct/appropriate replies as "solution" (you can mark up to 3 "solutions". Please LIKE threads if the provided solution is helpful

balajibc64 · ‎2024-01-01

Hi @Anil_Babu_Samineni Oops got confused. Because I can't try directly in Production. Below are the details I found,

1. Logon into Qlik NPrinting server.

2. Looked the existing certificate via mmc

3. Under Certificate, Details tab I'm seeing Subject value. This subject value is SWXXXD0AAAS0003 (Our Qlik NPrinting Server name).

4. There is no "Subject Alternative Name" under this tab.

5. Now when I'm tried to access the Qlik NPrinting URL, facing this NET::ERR_CERT_AUTHORITY_INVALID.

I notice this message as per your given link,

Your connection is not private

Attackers might be trying to steal your information from fltapsaaa.asdfgsdirways.com.qa (for example, passwords, messages, or credit cards)

NET::ERR_CERT_AUTHORITY_INVALID

Pls note: I trying to resolve this issue, because in Qlik Sense dashboard, On Demand button is not working. so that trying to resolve this certificate issue.

balajibc64 · ‎2024-01-02

Hi @Anil_Babu_Samineni any suggestion

Hi @Lech_Miszkiewicz Tagging you, can you pls guide if possible .

balajibc64 · ‎2024-01-02

Hi @Anil_Babu_Samineni Quick Question, As you mentioned " would recommend to recreate".

you mean re-create a certificate ? If yes, is this via Qlik Sense QMC --> certificate like this way?

Anil_Babu_Samineni · ‎2024-01-02

@balajibc64 Sorry for the late, I am away yesterday 🙂

Anyway, this sounds like this is something somebody trying to access your company address. I would recommend checking with your provider (Like, Webserver from where you ordered or using this template to create certificates).

You may be looking only in Qlik sense, my intention to check from N-Printing side as well, it means when you create private key (There are many ways to create certificate), it could check the box and what if, in case if you create again the certificate in Qlik sense via QMC and also the same from Qlik N-Printing.

Once you download the certificate in CER, please follow like this.

Rename the extension of the file generated (.cer) to .crt (Ex, xyz.crt)
Copy the certificate “xyz.crt” and the related private key “NPrinting.key” into the appropriate folders:

For the NewsStand: %ProgramData%\NPrinting\newsstandproxy\.

Typical path is C:\ProgramData\NPrinting\newsstandproxy\.

For the Qlik NPrinting web console: %ProgramData%\NPrinting\webconsoleproxy\.

Typical path is C:\ProgramData\NPrinting\webconsoleproxy.

Change both proxy configuration files to refer to the new certificate file:
1. Edit the Newsstand proxy configuration file: ProgramData%\NPrinting\newsstandproxy\app.conf

Uncomment by removing the # and change or add the following lines to:

http.sslcert=${ProgramData}\NPrinting\newsstandproxy\ xyz.crt (Change the certificate file name if necessary.)

http.sslkey=${ProgramData}\NPrinting\newsstandproxy\NPrinting.key. (Change the private key file name if necessary.)

2. Edit the Qlik NPrinting web console proxy configuration file:

%ProgramData%\NPrinting\webconsoleproxy\app.conf

Uncomment by removing the # and change or add the following lines to:

http.sslcert=${ProgramData}\NPrinting\webconsoleproxy\ xyz.crt (Change the certificate file name if necessary.)

http.sslkey=${ProgramData}\NPrinting\webconsoleproxy\NPrinting.key (Change the private key file name if necessary.)

You must stop and restart the Qlik N-Printing web engine service because new certificates are read only during the service start-up process.

/* I noticed from your statement for this,

3. Under Certificate, Details tab I'm seeing Subject value. This subject value is SWXXXD0AAAS0003 (Our Qlik N-Printing Server name).

Make sure, Subject valid with your FQDN as well, an example it should be community.qlik.com if this is your N-Printing URL to whitelist.

*/

Please do let us know if you need more information or not worked.

Best Anil, When applicable please mark the correct/appropriate replies as "solution" (you can mark up to 3 "solutions". Please LIKE threads if the provided solution is helpful

Qlik NPrinting Certificate Issue

Other

Qlik NPrinting May 2023 IR

Qlik Sense

QlikWorld 2023

Your connection is not private