Qlik Community

Ask a Question

Knowledge

Search or browse our knowledge base to find answers to your questions ranging from account questions to troubleshooting error messages. The content is curated and updated by our global Support team

Announcements
Support Cases coming to Qlik Community Oct. 4! Start chats, open cases, explore resources. Prep for the big move: READ DETAILS

Qlik Sense Hub and Management Console down - Bootstrap fails Newly created client certificate not valid; root certificate can't sign new certificates

Daniele_Purrone
Support
Support

Qlik Sense Hub and Management Console down - Bootstrap fails Newly created client certificate not valid; root certificate can't sign new certificates

The Qlik Sense Enterprise hub and Management Console are down. The Qlik Sense Repository Service (QRS) startup procedure does not complete.

If recreating the certificates based on How to recreate or just delete certificates in Qlik Sense does not resolve the issue.

Manually running the bootstrap fails with error:

[ERROR] Fatal exception during bootstrap: Newly created client certificate not valid; root certificate can't sign new certificates; see logs    at Qlik.Sense.Communication.Security.CertSetup.ThrowAndLogFatalRootError(String msg)
   at Qlik.Sense.Common.Security.SecuritySetup.SetupCA(String externalRootCertThumbprint, ICipherAlgorithm secretsAlgorithm, Boolean forceNewSetup)
   at Repository.Core.Bootstrap.BootstrapHandler.Install(BootstrapState bootstrapState)
   at Repository.Core.Bootstrap.BootstrapHandler.Bootstrap(BootstrapState bootstrapState)
   at Repository.QRSMain.Bootstrap()
   at Repository.QRSMain.Main()
Bootstrap mode has terminated. Press ENTER to exit..

 

Other errors in the Qlik Sense Logs include:

Certificates are not correctly installed

20201022T144326.598+0200    ERROR    APP03    Security.Repository.Qlik.Sense.Communication.Security.Certificates.CertUtil    44    c0cde05d-6354-46fb-a249-d7de93aad09c    HELD-W2K\QlikService    When accessing certificate store (loc:LocalMachine, name:Root):     

Duplicate or invalid root certificates are not allowed;

Waiting for certificates and hostname

WARN    APP03    Security.Printing.Qlik.Sense.Communication.Security.Certificates.CertValidator    4    886518e5-f503-418c-b441-094d4ed4fc2f    HELD-W2K\QlikService    Certificate 'CN=QlikClient' (D24E4965A56C5D0764E9B5255670F38B01F8D9EF) is invalid because it was not signed correctly by 886518e5-f503-418c-b441-094d4ed4fc2f

 

 

Environment: 

  • Qlik Sense Enterprise, all versions

 

Resolution:

 

This issue is caused by access issues when attempting to access/recreate the certificates and/or other GPOs that affect certificates. 

Example scenarios:

A GPO is in place which enforces duplication of the hostname-CA certificate.

or

A GPO is in place which prevents the creation of a new certificate.

It may also be possible that access to the certificate is not granted. In which case the following may help:

  1. Stop the services
  2. Launch Regedit
  3. Locate HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb.
  4. Add ProtectionPolicy DWORD 32-bit with the value of 1.
  5. Run the bootstrap process again by running "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname from an elevated (Run as Administrator) command prompt
  6. Start the services

Related Content:

Labels (1)
Version history
Revision #:
2 of 2
Last update:
‎2020-11-16 06:31 AM
Updated by:
 
Contributors