OPERATIONAL DEFECT DATABASE
...
...
This is a child article of the following: Troubleshooting SSL certificate issues in VMware Horizon Horizon Console dashboard displays the Connection Server in a red status.Connection Server displays errors in Horizon Console: Connection Server certificate is not trusted Server's certificate cannot be checked You can connect externally through the Connection Server via UAG with end clients potentially receiving a message similar to: "Connection Failed Error: HTTP error 404 Please verify that Connection Server address and network settings are correct and try again"The certificates on the server are valid. (In some scenarios an expired certificate can produce similar symptoms In the Connection Server DEBUG logs, you see entries that show InvalidCertificateException[reasons:notTrusted;cantCheckRevoked;
To provide guidance in terms of troubleshooting certificate revocation issues in Horizon.
This issue occurs if the Certificate Revocation List (CRL) includes a URL that cannot be accessed from the Connection Server.
To resolve this issue, ensure that all Connection Servers can check the URL in the Certificate Revocation List (CRL) and all certificates in the chain are valid and healthy.Your environment may have a proxy server that controls network access, and you may need to add this server address to the proxy settings on all Connection Servers. You can verify your proxy settings on a server by verifying Browser Settings. Alternately on a command prompt, you can initiate netsh on the command line - Sample below. C:\Users\User1>netsh netsh>winhttp netsh winhttp>show proxy Current WinHTTP proxy settings: Direct access (no proxy server). Procedure:Edit the locked.properties file in the SSL gateway configuration folder on the Connection Server reporting the issue . Set the enableRevocationChecking property to true.enableRevocationChecking=true To add multiple CRL location properties, add the following properties:crlLocation.1=http://location1.crlcrlLocation.2=http://location2.crlVerify these locations are accessible to the host. Note, that Horizon Services may need to be restarted once you have configured access to the CRL.
Important:CRL checking is an important defense in the security of your environment, and disabling CRL checking will frequently not be a long-term solution nor is it recommended to be one. Ideally, if you proceed it is better to remove internet access ability from the server in question.Workaround:To work around this issue, create a CertificateRevocationCheckType registry string in Windows Registry.Note: This procedure modifies the Windows registry. Before making any registry modifications, ensure that you have a current and valid backup of the registry and the virtual machine. If you are using multiple connection servers, you need to make this registry modification on all Connection Servers. Navigate to HKEY_LOCAL_MACHINE\Software\VMware, Inc.\VMware VDM\Security\ on the Horizon Connection Server. Caution: Ensure that you make changes in the Connection Server and not the Security Server. Create the CertificateRevocationCheckType registry string (REG_SZ) and set its value to 1. Note: Reboot is not required to make this change take effect.
For more information, see View Administrator shows security servers’ health status as red, with the message: Server certificate cannot be checked (2035818)VMware Horizon View 5.1/5.2/5.3 の Administration ダッシュボードで次のエラーが報告される:サーバの証明書がチェックできませんVMware Horizon View 中的管理仪表板报告错误:无法检查服务器的证书 (Server's certificate cannot be checked)
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
