In the Qlik Sense Proxy trace logs, the last line may be indicating waiting for certificates to be installed or similar. In addition, even though Proxy service remains running, port 443 (by default) will fail to bind and start listening for requests.
Note! Do not perform the below steps in a production environment, without first doing a backup of the existing certificates. Certificates are being used to encrypt information in the QRS database, such as connection strings. By recreating certificates, you may lose information in your current setup. By removing the old/bad certificates, and restarting the Qlik Sense Repository Service (QRS), the correct certificates can be recreated by the service. If trying to remove certs, only the removal steps need to be followed.
The instructions are to be carried out on the Qlik Sense Central Node. In the case of a multi-node deployment, verify which node is the central node before continuing.
Open Qlik Sense Management Console (QMC)
Navigate to Nodes section
Add the column Central Node column through Column selector
If the current central node role is held by the failover, you need to fail the role back to the original central node by shutting down all the nodes (this implies downtime). Then start the original central node, reissue the certificates on it with this article, and when the central node is working apply the article Rim node not communicating with central node - certificates not installed correctly on each Rim node.
Step by Step instructions:
IMPORTANT NOTE: Test all data connections after the certificates are regenerated. It is likely that data connections with passwords will fail. This is because passwords are saved in the repository database with encryption. That encryption is based on a hash from the certificates. When the Qlik Sense signed certificates are regenerated, this hash is no longer valid, and the saved data connection passwords can not be decrypted. The customer must re-enter the passwords in each data connection and save. See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"
Log on to the Central node using the Qlik Service Account and navigate to the 'Services' and to the Qlik Services.
Stop the QRS (this will also stop the other services; however, make sure the postgresql-64-12 or Qlik Sense Repository Database is still running).
Open Microsoft Management Console (MMC).
Important: Execute the MMC as the account configured to run the services (using Run as a different user [Ctrl-Shift & Right click on the exe to see option]... )
Add the following snap-ins for Certificates:
My user account
Local Computer account
In Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates, delete the Self-Signed certificates created by Qlik Sense, issued by HOSTNAME.domain-CA*
*Where HOSTNAME is the machine name of the server in question and domain is the domain of the server. So for example, QlikServer1 is the computer hostname and the domain is domain.local, the certificate will be issued by QlikServer1.domain.local-CA
In Certificates (Local Computer) > Personal > Certificates, delete the Self-Signed certificate issued by HOSTNAME.domain-CA
In Certificates > Current User > Personal > Certificates, delete the Self-Signed certificate named QlikClient
Go to the folder C:\ProgramData\Qlik\Sense\Repository, delete the folder 'Exported Certificates'
Run this command from an elevated (admin) command prompt to create new certificates:
"C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname Note: If the script doesn't get to "Bootstrap mode has terminated. Press ENTER to exit.." and gets stuck at "[INFO] Entering main startup phase.." start the "Qlik Sense dispatcher service" and it will get to the end)
Verify the new certificates have been created by REFRESHING the screen for each certificate location, and then start the rest of the Qlik Sense services. In addition, verify that duplicate or multiple certificates were notcreated (rarely occurs). If so, the article will need to be followed again by starting with the deletion of the certificates.
There is no need to perform a full reinstall to propagate new certificates. Certificates are created by the QRS automatically if not found during the service startup process.
For Qlik Sense multi-cloud deployment (September 2020 or later):
NOTE: The steps in this section must be performed after recreating certificates as described above.
Start Qlik Sense Repository Database service on CENTRAL NODE, or PostgreSQL Server service if running a dedicated instance of PostgreSQL database server.
Using pgAdmin tool or any other database client, connect to SenseServices database. (IMPORTANT: the below query needs to be executed on the SenseServices DB)
Execute following query against SenseServices database:
DROP TABLE IF EXISTS hybrid_deployment_service.mt_doc_asymmetrickeysencrypt CASCADE;
Navigate to Deployments page of Multi-cloud Setup Console (MSC).
After the certificates have been recreated and then redistributed to all of the rim nodes, the node.js certificates stored locally on the central and all rim nodes also need to be recreated. Follow the below steps to perform this action:
Stop all Qlik Sense services
In Windows File Explorer, navigate to %ProgramData%\Qlik\Sense\Repository\Exported_certificates
Back up the Local certificates directory and then delete it
Restart the Qlik Sense services
IMPORTANT NOTE: Test all data connections after the certificates are rebuilt. It is likely that data connections with passwords will fail. This is because passwords are saved in the repository database with encryption. That encryption is based on a hash from the certs. When the Qlik Sense self-signed cert is rebuilt, this hash is no longer valid, and so the saved data connection passwords will fail. The customer must re-enter the passwords in each data connection and save. See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"
Self Signed Certificates:
Notice if using an official Signed Server Certificate from a trusted Certificate Authority
The certificate information will also be in the QMC, under Proxies, with the Certificate thumbprint listed. If trying to merely remove all aspects of certs, this will need to be removed as well.
Go to Proxies
Select your Proxy and click Edit
In the right pane, select Security
Scroll down and locate "SSL browser certificate thumbprint" in the Security section to locate the thumprint info.
If the Central Node repository service hanging in the logs:
Look for this Example "API service initialized with 1501 available methods". This is Central Node.
If you see this Example "API service initialized with 2 available methods". This is a Rim node.
For Central Node you should see as an example ""API service initialized with 1501 available methods".
Running this command "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname will resolved this issue.