How to recreate or just delete certificates in Qlik Sense - No access to QMC or Hub
Article Number: 000005402 | Last Modified: 2020/03/11
After installing, renewing, or changing a third party certificate for use with Qlik Sense the Qlik Management Console (QMC) and Hub may become inaccessible leading to Page Cannot Be Displayed.
In the Proxy trace logs the last line may indicated waiting for certificate to be installed or similar. In addition, even thought Proxy service remains running, port 443 (by default) will fail to bind and start listening for requests.
Note! Do not perform the below steps in a production environment, without first doing a backup of the existing certificates. Certificates are being used to encrypt information in the QRS database, such as connection strings. By recreating certificates, you may lose information in your current setup. By removing the old/bad certificates, and restarting the Qlik Sense Repository Service (QRS), the correct certificates can be recreated by the service. If trying to remove certs, only the removal steps need to be followed.
The instructions are to be carried out on the Master (Central) nodes only.
In case of a cluster, verify which node is the central node before continuing. This can be achieved by looking at the Qlik Sense Management Console and Nodes menu on the left. Review which node is flagged as the central node. To make the flag visible, add the column Central Node to the current list. If the central node role is held by the failover, you need to fail the role back to the original central node by shutting down all the nodes (this implies down time). Then start the original central node, reissue the certificates on it with this article, and when the central node is working apply the article Rim node not communicating with central node - certificates not installed correctly on each Rim node.
Step by Step instructions:
Log on the Central node using the Qlik Service Account and navigate to the 'Services' and to the Qlik Services.
Stop the QRS (this will also stop the other services; however, make sure the Qlik Sense Repository Database is still running).
Open Microsoft Management Console (MMC). Important: Execute the MMC as the account configured to run the services (using Run as different user [Ctrl-Shift & Right click on the exe to see option]... )
Add the following snap-ins for Certificates:
My user account
Local Computer account
In Certificates (Local Computer) > Trusted Root Certification Authorities > Certificates, delete the Self-Signed certificates created by Qlik Sense, issued by HOSTNAME.domain-CA* *Where HOSTNAME is machine name of the server in question and domain is the domain the server. So for example, QlikServer1 is the computer hostname and the domain is domain.local, the certificate will be issued by QlikServer1.domain.local-CA
In Certificates (Local Computer) > Personal > Certificates, delete the Self-Signed certificate issued by HOSTNAME.domain-CA
In Certificates > Current User > Personal > Certificates, delete the Self-Signed certificate named QlikClient
Go to the folder C:\ProgramData\Qlik\Sense\Repository, delete the folder 'Exported Certificates'
Run this command from an elevated (admin) command prompt to create new certificates: "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname Note: If the script doesn't get to "Bootstrap mode has terminated. Press ENTER to exit.." and gets stuck at "[INFO] Entering main startup phase.." start the "Qlik Sense dispatcher service" and it will get to the end)
Verify the new certificates have been created by REFRESHING the screen for each certificate location, and then start the rest of the Qlik Sense services. In addition, verify that duplicate or multiple certificates were notcreated (rarely occurs). If so, the article will need to be followed again by starting with the deletion of the certificates.
There is no need to perform a full reinstall to propagate new certificates. Certificates are created by the QRS automatically if not found during the service startup process.
After the certificates have been recreated and then redistributed to all of the rim nodes, the node.js certificates stored locally on the central and all rim nodes also need to be recreated. Follow the below steps to perform this action:
Stop all Qlik Sense services
In Windows File Explorer, navigate to %ProgramData%\Qlik\Sense\Repository\Exported_certificates
Back up the Local certificates directory and then delete it
Restart the Qlik Sense services
IMPORTANT NOTE: Test all data connections after the certificates are rebuilt. It is likely that data connections with passwords will fail. This is because passwords are saved in the repository database with encryption. That encryption is based on a hash from the certs. When the Qlik Sense self-signed cert is rebuilt, this hash is no longer valid, and so the saved data connection passwords will fail. The customer must re-enter the passwords in each data connection and save. See article: Repository System Log Shows Error "Not possible to decrypt encrypted string in database"
Self Signed Certificates:
Notice if using an official Signed Server Certificate from a trusted Certificate Authority
The certificate information will also be in the QMC, under Proxies, with the Certificate thumbprint listed. If trying to merely remove all aspects of certs, this will need to be removed as well.
Go to Proxies
Select your Proxy and click Edit
In the right pane, select Security
Scroll down and locate "SSL browser certificate thumbprint" in the Security section to locate the thumprint info.
If the Central Node repository service hanging in the logs:
Look for this Example "API service initialized with 1501 available methods". This is Central Node.
If you see this Example "API service initialized with 2 available methods". This is a Rim node.
For Central Node you should see as an example ""API service initialized with 1501 available methods".
Running this command "C:\Program Files\Qlik\Sense\Repository\Repository.exe" -bootstrap -iscentral -restorehostname will resolved this issue.