Find Answers
Qlik Community
Collaborate with over 60,000 Qlik technologists and members around the world to get answers to your questions, and maximize success.
Join Us
Knowledge
QlikView - TlsSocket: Client certificate verification failed with error code 80096004
Article Number: 000047728 | Last Modified: 2018/09/07Description
After an upgrade from QlikView 11.20 to QlikView 12.x with certificate trust for the communication between the services, you notice on a separated QlikView Server (QVS) node that you are getting in loop this event in the QlikView Server (QVS) Event logs:
20180316T151410.000+0100 20180316T152148.000+0100 2 500 Warning TlsSocket: Client certificate verification failed with error code 80096004
20180316T151410.000+0100 20180316T152148.000+0100 1 300 Error SSL: Main loop error: The operation completed successfully.
However the environment is fully functional.
Environment:
QlikView 12.00 / 12.10 / 12.20 certificate trust
20180316T151410.000+0100 20180316T152148.000+0100 2 500 Warning TlsSocket: Client certificate verification failed with error code 80096004
20180316T151410.000+0100 20180316T152148.000+0100 1 300 Error SSL: Main loop error: The operation completed successfully.
However the environment is fully functional.
Environment:
QlikView 12.00 / 12.10 / 12.20 certificate trust
Cause
The code error 80096004 is a Windows Code Error meaning The signature of the certificate cannot be verified.
Reference: https://msdn.microsoft.com/en-us/library/windows/desktop/aa377188(v=vs.85).aspx
This indicate that QlikView cannot proceed with the full verification of the certificate chain.
When you upgrade from QlikView 11.20 to 12.x, the old certificates are not being removed and new ones are being created so if you do not remove the certificates manually prior to the upgrade you will end up with duplicates certificate.
You can live with this situation, QlikView will work perfectly fine but we have seen case where a manual clean up of the duplicate certificates was attempted and the wrong QlikViewCA (the newly created) was removed.
In this situation the certificate chain gets broken since the correct QlikViewCA does not exist anymore.
Reference: https://msdn.microsoft.com/en-us/library/windows/desktop/aa377188(v=vs.85).aspx
This indicate that QlikView cannot proceed with the full verification of the certificate chain.
When you upgrade from QlikView 11.20 to 12.x, the old certificates are not being removed and new ones are being created so if you do not remove the certificates manually prior to the upgrade you will end up with duplicates certificate.
You can live with this situation, QlikView will work perfectly fine but we have seen case where a manual clean up of the duplicate certificates was attempted and the wrong QlikViewCA (the newly created) was removed.
In this situation the certificate chain gets broken since the correct QlikViewCA does not exist anymore.
Resolution
To resolve this issue you can re-import the deleted certificate if you have taken a backup prior to deletion.
If you do not have a back you can export the QlikViewCA (and only the QlikViewCA) from the Qlik Management Service (QMS) server and import it on the QlikView Server (QVS) machine.
You do not need to export the certificate with the private key so an export to CER Format is sufficient
You will need to make sure you are exporting the correct certificate if the duplicate is still there. For that you can check the thumbprint of the certificate between the QlikView Management Service (QMS) server and the QlikView Server (QVS). You will likely need to export the one that does not exist on the Qlikview Server (QVS) machine
Another possibility would be a policy preventing the QlikView Service account to properly resolve the certificate chain.
Please make sure the QlikView Service account is full administrator of the machine and does not have any restriction based on policies or anything else.
If you do not have a back you can export the QlikViewCA (and only the QlikViewCA) from the Qlik Management Service (QMS) server and import it on the QlikView Server (QVS) machine.
You do not need to export the certificate with the private key so an export to CER Format is sufficient
You will need to make sure you are exporting the correct certificate if the duplicate is still there. For that you can check the thumbprint of the certificate between the QlikView Management Service (QMS) server and the QlikView Server (QVS). You will likely need to export the one that does not exist on the Qlikview Server (QVS) machine
Another possibility would be a policy preventing the QlikView Service account to properly resolve the certificate chain.
Please make sure the QlikView Service account is full administrator of the machine and does not have any restriction based on policies or anything else.
Get Answers
Find Answers
Get Support
Have a Question?
Search Qlik's Support Knowledge database or request assisted support for highly complex issues.
Submit a case
Talk with a Representative
Critical Issues
Experiencing a serious issue, please contact us by phone. For Data Integration related issues please refer to your onboarding documentation for current phone number.
Call Us