Resolving common web browser certificate errors and changing the certificate used by Hub and QMC
Resolving common web browser certificate errors changing the certificate used by Hub and QMC
Hello everyone! This video aims a walking through how to resolve common web browser certificate issues and how to change the certificate used by Qlik Sense Hub and QMC. Qlik Sense uses a self-signed certificate by default. So a certificate error is experienced when logging on to QMC and Hub from a computer other than the server. The specific error code displayed by all major browsers will indicate an invalid CA, or in the case of FireFox, an UNKNOWN_ISSUER. Issuer meaning the Certificate Authority, which is abbreviated as CA. The reason for these errors being that the Certificate Authority (CA), which is the Qlik Sense server in this case, is not trusted by the client's browsers. The user may click on "Advanced" for the option of bypassing the error as a temporary workaround. However, in a production environment a fully trusted connection will most likely be needed. In some scenarios such as in testing or non-production, administrators may choose to install the Qlik Sense root CA self-signed certificate on the client computers. The Qlik Sense self-signed certs have a two level trust structure as it can be seen in the Certification Path, so we can use the root certificate to make the Qlik Sense CA trusted by the client and resolves the error related to a unknown or invalid CA. The Qlik Sense root CA certificate can be found under the following location in .pem format. (C:\ProgramData\Qlik\Sense\Repository\Exported Certificates\.Local Certificates) It can also be exported as a Windows format .cer file via QMC under Certificates. Another alternative is to manually export it via the MMC. Next, copy the file to the client computer so it can be installed. Open the MMC and add the Certificate snap-in for managing the Computer account. Under Certificates (Local Computer), right-click "Trusted Root Certification Authorities", All Tasks, then Import. Go through the steps to import the certificate, then confirm that the certificate gets listed under the Trusted Root Certification Authority store. Then, confirm that you no longer receive the error in the Web Browser when accessing QMC or Hub. For Firefox, the certificate needs to be imported directly to the browser's certificate repository. It is located under Options, Privacy & Security, then scroll down to Certificates and click on View Certificates, where the Qlik Sense root CA certificate can be imported under Authorities. Then confirm the error no longer occurs. Note that if clients access the Qlik Sense server using a different hostname in the URL than the one stated in the certificate presented to clients, a different browser certificate error may be displayed. For example, let's say users are only able to access the Hub via the and external DNS record name qlikserver10.domain.local, which is added to the Virtual Proxy configuration for allowed hosts. This is a common scenario when the Qlik Sense server is behind a network device or simply registered with a different DNS record than what is used by the client. The user may observe the web browser error code displayed here indicating an invalid certificate Common Name in Microsoft Edge, Google Chrome, and Internet Explorer browsers. Firefox's error code is different indicating an invalid cert domain name. However, this also means that the FQDN used in the URL does not match the Common Name in the certificate presented by the server. The certificate Common Name can be found in the certificate's "Issued To" field, as well as in the "Subject" field. The same and additional strings may be listed under the "Subject Alternative Name" (SAN) field as a DNS Name entry. In this case in order to resolve this particular issue, the certificate used by the server would need to include either a wildcard DNS entry or the additional DNS name entry in the Subject Alternative Name field. Note that this may not be suitable for when the additional DNS name entry is a public one, as the internal DNS name entries would be exposed via the certificate presented to the client. This new certificate or any other customized cert needs to be issued by a trusted Public or Private Certificate Authority as Qlik Sense does not issue certificates. The following are requirements for the certificate to be issued as of September 2020 newest release: it must contain the private key and not be not an expired certificate, it must be a X.509 version 3 certificate, use Signature hash algorithms SHA256 or SHA-1, and Signature algorithm sha256RSA, the certificate must be Signed by a Certificate Authority (CA) that is or can be made trusted by both the client and server, and must be a CryptoAPI format certificate, not CNG. When changing to use the new cert, Qlik Sense should automatically rolls back to the default server certificate in case of issues with the new one. However, before changing the certificate, as a precaution, it is recommended that plain HTTP is enabled in case the system is not able to recover from an issue that may lead to a lockout situation. This can be done under the Qlik Sense Proxy Ports configuration by checking the Allow HTTP box. Move forwards, as an example we have obtained a certificate from a private Certificate Authority with both DNS entry names mentioned for qlikserver1 and qlikserver10. The next step is to install it on the Qlik Sense server. Make sure to logon to the Qlik Sense server using a local server administrator account. Then open the MMC for Certificates (Local Computer) as done previously in this video, and import the certificate to the Personal store. Refresh the MMC to inspect the new certificate and confirm that all the certificates in the Certification Path have the status "This certificate is OK". In this case it does not. This is due to the server not having the CA root certificate installed in the "Trusted Root Certification Authorities" store. Note that if the certificate trust structure had an intermediate CA, the certificate from that specific CA would also need to be installed. It is usually installed under the "Intermediate Certification Authorities" store. After installing the root CA certificate and confirming it was placed under Trusted Root Certifications Authorities, we can see that the root certificate status states "This certificate is OK". We can also see here that the "Subject Alternative Name" field holds both records for qlikserver1 and qlikserver10. Please note that if the Qlik Sense service account is not a local admin, the following additional steps are required. Right-click the new certificate, then go to All Tasks and Manage Private Keys. Make sure the local user group "Qlik Sense Service Users" has Read permissions. This group should already have the Qlik Sense service account as a member. Now we need to tell Qlik Sense to use the new production certificate. Open the new certificate and under the certs Details tab, scroll down and copy the cert's Thumbprint field string. It is recommended that the thumbprint string is pasted into a text editor and inspected for an invisible character in the front of the string. This character can be seen if the text format is changed to ANSI. Alternatively, this can be done by pressing delete and backspace when the cursor is in front of the string. Also remove any spaces. Then copy this string. With this said, note that in newer releases of Qlik Sense such as September 2020, the string can be directly pasted in the Proxy SSL browser certificate thumbprint field under the Security section. Once applied QMC will prompt for a Proxy service restart, or will displayed the following if the service account is not a local administrator. This means that the repository service needs to be run in bootstrap mode for changes to take effect. Stop all Qlik Sense services except for the Qlik Sense Repository Database and Qlik Sense Service Dispatcher services. Open the command prompt as Administrator, and run the following command on the Qlik Sense Central node. (repository.exe -bootstrap -iscentral) Once completed, start back all the Qlik Sense services starting with the Repository Service. The Proxy Trace Security logs found in this location should register that the new certificate is being used. So when accessing Qlik Sense QMC or Hub using the hostname qlikserver10, no certificate error should be displayed as long as the root CA certificate has been installed on the client as well. We can also confirm the certificate presented to the client is the new one with the two DNS name entries. Note that if there are multiple Qlik Sense RIM nodes with enabled Proxy service, the same process needs to be performed for each node. If the Qlik Sense service account is not a local admin on those nodes, the bootstrap command without the -iscentral parameter needs to be used as well. For certificates, a common practice is to either add the additional RIM nodes DNS names to the certificate as shown in this example, issue separate certificates, or use a wildcard certificate. Here's an example where the client is presented with a certificate that contains a wildcard DNS name entry in the Subject Alternative Name field. This will match any hostname used when accessing any of the Qlik Sense servers as long as it is followed by the domain name. If you’d like more information, search for answers using the unified search tool on the Support Portal. It searches across the support knowledge base, Qlik Community, Qlik Help site, and Qlik YouTube channels. Take advantage of the expertise of peers, product experts, and technical support engineers by asking a question in a Qlik Product Forum on Qlik Community. And don’t forget to subscribe to the Support Updates Blog. Thanks for watching!