Skip to content
Home ยป Server’s certificate is not trusted

Server’s certificate is not trusted

Also known as: “Certificate revocation check failed”

A while ago I had an issue with a Horizon customer, where I got an error on the Horizon dashboard saying “The server’s certificate is not trusted”. The error message appeared for all connection servers we had.

This was very strange, as we hadn’t changed any certificate-related things and I was pretty sure that the certificate was not expired either. Clicking on the “Certificate Management” link confirmed that: The certificate was valid from 14/03/2024 until 12/03/2028 and today was 06/01/2025. Also, the Common Name and the Subject Alternative names were correct.

The next thing I did, was check the intermediate and root CA, but also those were completely fine.

I started digging into the Connection server logs but couldn’t find anything related to the certificate error, so I contacted Omnissa Support to have a deeper look into the logs. They promptly got back to me with the following error in the ws_diag.txt file inside the support log bundle:

...
tracker = 
    name = "SGHealth"
    trackerObjects = 
        TrackerObject = "(TrackerObject SGHealth:connection-server-1 ... ATTR_SG_CERTINVALID_REASON:STRING=NOT_TRUSTED ... ATTR_CHAIN_INVALID_REASONS:STRING=cantCheckRevoked ...
...

The error was probably caused because the connection server could not check the revocation status of the certificate. To be sure, I created the following registry key on one of the connection servers:

HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware VDM\Security
CertificateRevocationCheckType (REG_SZ): 1

No need to restart any services, after a few minutes, the error disappeared for that connection server!
So the error was caused by the revocation check. I removed the registry key again to re-enable the revocation check.

A quick call to the network team of the customer confirmed they had recently made some changes to the firewalls and some rules were still missing. After an update of the firewall, the error message disappeared for all connection servers.

Conclusion

Despite the error message saying that the certificate is not trusted, the certificate was completely fine, but the connection server refused to trust it because it was unable to check if the certificate was revoked.

Leave a Reply

Your email address will not be published. Required fields are marked *