Solved: Wildcard SSL Certificate in Qlik Sense - Qlik Community

morenoju · ‎2019-03-21

Hi guys,

I have a Go Daddy wildcard SSL certificate for my domain (let's refer to it mydomain.org).

So the certificate is issued to: *.mydomain.org and I have to files:

72150bff08d23f65.crt
gd_bundle-g2-g1.crt

I followed some instructions I found and installed the gd_bundle-g2-g1.crt as a Personal certificate in the mmc of the Qlik Server and I copied and pasted the thumbprint in QMC / Proxies / Central / Security / SSL browser certificate thumbrpint.

However when I open the Qlik Hub on a browser using https I still get the "Your connection is not private" message, the URL has the https strikeout saying "not secure" and if I go to the Certificate details it shows it is still using the self-signed Qlik Certificate.

Any idea on what could have gone wrong?

Thanks much

morenoju · ‎2019-03-26

In the end the problem was that the certificate did not have the private key and the one to add had to be original server key. A colleague of mine provided that key and using openssl I could add it to create the pfx file.

Once I installed the pfx file and copied the thumbprint to the Proxy in Qlik, all worked alright.

Solved. Thanks for your input!

View solution in original post

chriscammers · ‎2019-03-21

First thing I would check, did the certificate actually bind to port 443.

Open a command line as an administrator and enter the command "netsh http show sslcert"

You will see several port bindings look for the one for 0.0.0.0:443

the certificate hash should match the thumbprint for your wildcard, it likely matches the self signed cert at this point.

If it did not bind...

First confirm that your wildcard cert contains the private key, in the mmc you will see a key icon on the cert icon. If it doesn't then you have to get your cert with the key.

Next check your thumbprint, when you copy it from the certificate details take it over to notepad and paste it into notepad. Then with your cursor somewhere in the middle of the string press your home key. Next press your delete key until the first character of the thumprint is deleted, finally undelete that first character. The idea here is to delete any non-printing characters.

Now copy the remaining thumbprint, into the QMC. and apply. You can verify if your certificate has bound to port 443.

I hope that works for you.

Chris

Levi_Turner · ‎2019-03-21

The certificate lacks a private key (https://help.qlik.com/en-US/sense/February2019/Subsystems/ManagementConsole/Content/Sense_QMC/change...), which is needed in order for Qlik to be able to un-encrypt the communication from the end user. I am not familiar with GoDaddy's UI but you should be able to request or download a certificate with the private key. Generally this is in the .PFX format for Windows. On non-Windows webservers this traditionally is bifurcated into .CRT and .KEY files (https://www.linode.com/docs/web-servers/nginx/enable-tls-on-nginx-for-https-connections/).

morenoju · ‎2019-03-25

Hi guys,

I managed to generate the pfx file using openssl in the Windows Server where Qlik is installed. Now I see the new certificate is being used when accessing the hub from a browser but I have a new error (NET::ERR_CERT_REVOKED).

I've tried pasting the thumbrint in QMC with both spaces and no spaces. But I always get that same error. Do you know anything about it? I don't know why it would say revoked, my certificate is valid until next year.

Thanks

morenoju · ‎2019-03-25

An update:

I've unchecked "Check for server certificate revocation" in Internet Explorer and it works.

However, I have to make the dashboards accessible via Google Chrome and it's not a good idea to go asking users modifying the security configuration of their browsers.

Any idea?

Thanks,

Juan

Levi_Turner · ‎2019-03-25

Ultimately it's a question for the vendor of the certificate. For some reason it's marked as revoked which means any client who does an online check for its status would see the same message. This is fundamental to certificates so disabling this step should not be done. GoDaddy should have more insight into things.

morenoju · ‎2019-03-25

Thanks, Leviturner. I'll see if I can get an answer from GoDaddy.
It is surprising, because it is a wildcard certificate and it works without issue for another website. The issue only shows up when accessing to Qlik.

morenoju · ‎2019-03-25

After chatting with the GoDaddy Support team, looks like the issue might be that I created the pfx file in the Qlik Server itself, which is not where the CSR file was generated.

I'm going to try to find out where that CSR file was generated, go there with the key, create a new pfx file and install it in the server. Maybe that works.

Does it make much sense to you?

Levi_Turner · ‎2019-03-25

Yes, it (can) make sense. The whole OpenSSL bit made little sense. You can't just add a private key to a cert. But if you have the private key in a different format, you can use OpenSSL to merge the two and export into a specified format.

morenoju · ‎2019-03-26

In the end the problem was that the certificate did not have the private key and the one to add had to be original server key. A colleague of mine provided that key and using openssl I could add it to create the pfx file.

Once I installed the pfx file and copied the thumbprint to the Proxy in Qlik, all worked alright.

Solved. Thanks for your input!

Wildcard SSL Certificate in Qlik Sense

certficate

https

SSL