Problem
You have just successfully upgraded your VMware Horizon View 7.0.2 environment to 7.4.0 but noticed that the System Health of the View Composer Servers now displays a Red status with The service is not working properly and SSL as Unknown with no option of accepting the self signed certificate that the Composer service is using as you would normally expect to see.
The View 7.4.0 environment is currently using an older vSphere 5.5 environment and you have confirmed that TLS 1.0 has been enabled as per the following document:
Enable TLSv1.0 on vCenter and ESXi Connections from View Compose
Reviewing the event logs on the View Connection server show that the following error is logged:
Log Name: Application
Source: VMware
Event ID: 105
Level: Error
User: System
BROKER_SVI_CERT_INVALID
Certificate is invalid for Composer at address https://contosodrvc01.contoso.com:18443
Attributes:
Node=contosoUKVV01.contoso.com
ComposerId=https://contosodrvc01.contoso.com:18443
Severity=ERROR
Time=Fri Feb 02 22:01:58 GMT 2018
Module=Broker
Source=com.vmware.vdi.desktopcontroller.PublishVcCertToSviFederatedTask
Acknowledged=true
The Events in the View Administrator console display the following message:
Certificate is invalid for Composer at address https://<vcenter>.FQDN.com:18443
Attempting to view the properties of a linked-clone pool displays the following error:
The certificate configured on View Comopser Server is invalid, blocking communication with this server. To resume communication, replace the certificate with a valid certificate signed by a CA. Alternatively, accept the certificate thumbprint by clicking Verify in the View Administrator dashboard.
You’ve confirmed that the correct self-signed certificate is assigned to the VMware Horizon View Composer service by executing the command:
sviconfig -operation=ReplaceCertificate -delete=false
You’ve tried changing the pae-SVIURL to the short NetBIOS name instead of the FQDN:
Solution
If you do not include on issuing a certificate from a trusted Certificate Authority and would like to use the self-signed certificate, the way to accept it is to navigate to the View Configuration > Servers menu, select the vCenter instance then click Edit to bring up the vCenter Server settings, then click Edit under the View Composer Server Settings section:
Getting into the configuration settings of the View Composer will now display the following invalid certificate detected prompt:
Click on the View Certificate… button will display the option to accept the self-signed certificate:
Accepting the certificate should now display the View Composer Servers health as green:
3 comments:
Hey, thank you for your blog! It has saved me a lot of time!
We're running Horizon View 7.0.2 and we want to upgrade yo 7.4 (or 7.5). We've "played" a lot with it in our lab environment and no problems. But a friend of mine has told me we have to upgrade first to version 7.2 and then to 7.4 (or 7.5) because, if not, some configurations might be lost.... do you know if it's true? Do you have a post explainig the upgrade processs?
Thank you very much!
Hi Santiago, I Will do this upgrade tomorrow, and I tell you my experience.
Hey Terence!
Recently, we suffered a catastrophic vSAN loss due to some guys messing around in the data center. We lost a lot of data and had to rebuild some things. vCenter being one of them. Our DCs were down at the time and so I created a new vCenter (new IP and all) with the IP address as the name (vCenter provisioning would fail if I tried using a DNS name because it couldn't be queried). Anyhoo - got everything back up and running and pointed our Horizon View environment to the new vCenter. Had to delete all the existing VDI pools and rebuild them, all was good. UNTIL - I finally removed the old vCenter object from Horizon under servers. The server wasn't even alive anymore, it had been gone for weeks. But it messed something up with certificates and now we have a slew of certificate errors. Primarily "horizon view message:validatecertificatechain result:FAIL endentityreasons: namemismatch" and "virtualcenterdriver unable to connect to view composer server", etc. So I cleaned up all of the stale vCenter entries in view composer Database, also from ADSI edit, and everything looked ok. I updated the server name in the virtual center object properties from ADSI edit and changed it from the IP address to the FQDN. Made sure the SSL thumbprints were added for vCenter and View Composer (the fields were empty), lots of reboots in the correct boot order, and also verified in sviconfig that the certificate fqdn matches in the pae-SVIURL attribute value (+18443). The external URL for vCenter is still the IP (I don't think I can change this), but I have a DNS record that resolves the IP to the name. Not really sure what else to do. All of my VMs can be accessed/logged into by our users, but I can't manage anything. Screen is blank in Horizon when I select a pool and tons of errors in the Horizon logs mentioning certificate mismatch issues. Any direction you can provide would be super amazing. Our vCenter support agreement ended nearly 4 years ago, so I'm winging it the best I can. Thanks SO much!
Post a Comment