VMware/Citrix SSL, a long day
In a search of the inter-webs, there was reference to a Citrix support article. The article can be found at u will likely run into this issue. A few weeks back the server team had to reissue the certificates across the enterprise. When something like this happens, you find out how many platforms and applications tie into vCenter.
What ended up happening was all of the power states for our Citrix Virtual Apps and Desktops went unknown. This caused a significant amount of management problems at a minimum. Had it gone on long enough, it would have had a major impact on users' ability to perform their work.
From the Citrix perspective, we did all the standard troubleshooting. From the broker we open the vCenter web portal. Everything checked out, not getting any certificate errors. What was really complicating troubleshooting was that the connection testing from Citrix Studio was giving inconsistent results.
In a search of the interwebs there was reference to a Citrix support article. The article can be found at https://support.citrix.com/article/CTX224551. In attempting to access it, it was found to be blocked. So open a Citrix case we did. Support was able to confirm that even though the updated certificate was updated and trusted by our brokers, the SSL thumbprint needed to be updated on the brokers for communication to work properly. (Commands specific to updating SSL thumbprint at bottom of this page)
The article was just what we needed and we avoided a major outage. However what was frustrating was that this seemed like a known issue and something that could be easily avoided. This seemed like it could have been avoided had the article been public. Updating certificates should be a common occurrence which would make updating the thumbprint common as well.
Thankfully the article is now publicly available as it should have been the whole time. Keep in mind this applies to both those using Citrix Virtual Apps and Desktops on-prem as well as those using Citrix Cloud. Those on Citrix Cloud would run these commands on their cloud connectors. As fate would have it, I talked with two other customers that week that faced the exact same issue. I hope this saves you some time, and now a call to support.
From the Certificate Manager, remove the old certificate on each of the delivery controllers.
Method 2: Update the XenDesktop database with the thumbprint of the new certificate
SSL Thumbprints of the Hypervisor connections are stored in the SQL table "HostingUnitServiceSchema.HypervisorConnectionSSLThumbprint" within the XenDesktop site database. The new thumbprint can be updated using the following PowerShell cmdlets.
1) $cred = Get-Credential 2) Set-Item -LiteralPath "<FullPath_to_connection>" -username $cred.username -Securepassword $cred.password -SslThumbprint "<New ThumbPrint>" -hypervisorAddress <vcenter URL>
** Note: The Certificate Thumbprint has to be written in Capital Letters
E.g. Set-Item -LiteralPath "XDHyp:\Connections\EsxLab" -username $cred.username -securepassword $cred.password -sslthumbprint "XXXXXXXXXXXXXXXXXXX" -hypervisorAddress https://vcenter.example.com After changing the thumbprint of the new certificate: For Citrix Cloud environments, restart all cloud connectors in the zone containing the vCenter.For on-premises environments, restart the Citrix Host Service.Launch Citrix Studio. Test the host connection and catalogs.