Also known as: “Problems renewing the Horizon Connection server certificate”
When renewing the Certificate used for the Horizon Connection server, it’s important that you use the correct settings. If not, the Horizon Connection server service will be running, but you won’t be able to access the Horizon Admin Console or even be able to logon to Horizon.
After renewing the Horizon Connection server certificate you need to restart the Horizon Connection server service. Doing this, will stop all Horizon related services and finally they will all start again. While waiting for the services to start I noticed almost all services were already running, except the Horizon View Blast Secure Gateway service was in a “Paused” state. Refreshing the services list showed me it was regularly switching between “Starting” and “Paused”. Also the Horizon Admin console was not reachable.
When trying to access the Horizon Admin Console we get: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
So it looks like the new certificate is causing this.
After checking the logs in %programdata%\VMware\VDM\logs I noticed the following in the default log:
2023-03-17T13:25:01.081+01:00 INFO (13A8-1860) [x] The Secure Gateway Server is checking for connection attempts on http://, port:80
2023-03-17T13:25:01.081+01:00 INFO (13A8-1860) [x] The Secure Gateway Server is using SSL certificate store of type KeyVault
2023-03-17T13:25:01.097+01:00 INFO (13A8-1860) [x] The Secure Gateway Server is listening on https://, port:443
2023-03-17T13:25:01.269+01:00 ERROR (13A8-1B6C) [cc] IOException executing request http://127.0.0.1:8123/reset : Connection refused: connect com.vmware.vdi.logger.Logger.error(Logger.java:92)
java.net.ConnectException: Connection refused: connect
Then I went looking into the debug logs and found this:
2023-03-17T13:00:10.776+01:00 WARN (15F4-157C) <pool-3-thread-20> [KeyVaultKeyStore] (NetHandler) Failed to find key for: “vdm”
2023-03-17T13:00:10.776+01:00 DEBUG (15F4-157C) <pool-3-thread-20> [KeyVaultKeyStore] (NetHandler) com.vmware.vdi.orchestratorj.keyvault.KeyVaultException: Unable to get certificate private key: Error: 30000 com.vmware.vdi.logger.Logger.debug(Logger.java:44)
This is clearly showing that the certificate used for the Horizon Connection server doesn’t have an exportable private key. It’s essential that the private key of the certificate is “exportable”, otherwise the certificate will not work with Horizon Connection Server. However, by default this is not the case, so this is often overlooked!
If you’re using an internal Certificate Authority, when you request your certificate, be sure to select the “Make private Key exportable” option (or create a template on your CA where this option is already set):
If you’re importing a PFX certificate generated elsewhere, make sure to enable the “Mark this key as exportable…” option.
Once you have the certificate correct with an exportable private key, all services will start fine and after a few minutes, the Horizon Admin console will be accessible again.