Regenerate Citrix Xenserver SSL certificate

 Linux  Add comments
Oct 062015
 

When using Citrix XenCenter 6.5, I was suddenly unable to connect to a XenServer instance running 6.2. The following was in the XenCenter Event log.

Failed to connect to foo.example.com
The request was aborted: Could not create SSL/TLS secure channel.

This was not due solely to the version mismatch but, seemingly, to an update in XenCenter which forces stricter SSL checks. The only difference I found was that the XenServer instance I was unable to connect to had a cert containing an old IP address.

The first thing I did was update the parameters used to generate the SSL certificate

vim /opt/xensource/libexec/generate_ssl_cert

Then I was able to simply regenerate the certificate using the new parameters (and giving the resulting certificate the new IP address)

/opt/xensource/libexec/generate_ssl_cert /etc/xensource/xapi-ssl.pem $(hostname -f) && /etc/init.d/xapi start

Once completed, I was able to connect successfully.

 Posted by at 12:18

  5 Responses to “Regenerate Citrix Xenserver SSL certificate”

  1. Jeremy says:
    November 5, 2015 at 13:46

    Any suggestions on what to do on older versions of XenServer? I have a few server running 5.5 and I’m unable to modify /opt/xensource/libexec/generate_ssl_cert, tells me filesystem is read-only.

    Reply
    • solj says:
      November 5, 2015 at 19:14

      The same procedure should work. I am having no issues making changes to the script on 5.5. Alternatively, you could simply copy the script elsewhere to do the cert generation.

      # cat /etc/redhat-release 
XenServer release 5.5.0-25727p (xenenterprise)
[root@xen4 ~]# echo >> /opt/xensource/libexec/generate_ssl_cert
[root@xen4 ~]#
      Reply
      • solj says:
        November 5, 2015 at 19:17

        Ideally, though, you and I should both be reinstalling anything older than 6.2 since neither is getting the latest security releases 🙂

        Reply
  2. Francisco Antonio says:
    August 29, 2017 at 19:35

    I am trying to connect to XenServer 5.6.0 via XenCenter 7
    I am getting certificate\s issues
    Unable to connect server “Server’s IP” Couldn’t create SSL/TSL secure channel
    I tried the way to create certificate, I can telnet port 443 (SSL) but I cannot add the server to XenCenter.

    The procedure used is as follow:

    service xapissl stop
    mv /etc/xensource/xapi-ssl.pem /etc/xensource/xapi-ssl.pem.bak
    /opt/xensource/libexec/generate_ssl_cert “/etc/xensource/xapi-ssl.pem” ‘10.10.6.27’
    service xapissl start
    xe-toolstack-restart

    Reply
    • solj says:
      September 4, 2017 at 15:28

      That appears to me to be a slightly different error than the one I received. Unfortunately, I no longer use Citrix XenServer/XenCenter and am unable to provide any insight as to what the problem might be. I would verify that DNS lines up with the “hostname” that you are using (in this case, 10.10.6.27).

      Reply

Leave a Reply to Jeremy Cancel reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*