Tuesday, August 7, 2012

Teradici PCoIP Firmware 4.x GoDaddy.com Certificate issues

I came across an interesting issue with a GoDaddy.com certificate. As described in previous posts you need to upload your Root and Intermediate certificates to the PCoIP devices connecting to VIEW. If you do not you'll see an error message when connecting to your connection servers saying "the certificate is not rooted". Typically when you see this message all you have to do is locate the intermediate and rootCA that signed your broker certificate and upload it, however people are seeing issue with some intermediate/root CA's. I think that these messages in the thin client log are the link to the problem;

08/06/2012, 16:15:25> LVL:1 RC:-510 X509_UTIL :get_issuer() failed!

08/06/2012, 16:15:25> LVL:1 RC:-510 MGMT_CERT :ERROR: tera_x509_util_get_tree failed for certificate 1

08/06/2012, 16:15:25> LVL:1 RC:-510 MGMT_CERT :ERROR: certificate is not valid (tera_mgmt_cert_add_certificate_by_index)

08/06/2012, 16:15:25> LVL:1 RC:-510 MGMT_CMI :ERROR: tera_mgmt_cert_add_certificate failed!

08/06/2012, 16:15:26> LVL:2 RC: 0 GSOAP :SOAP 1.2 fault: SOAP-ENV:Sender [no subcode]

08/06/2012, 16:15:26> LVL:2 RC: 0 GSOAP :"Failed to add certificate to certificate store" Detail: [no detail]

08/06/2012, 16:15:26> LVL:0 RC: 12 MGMT_CMI :Error serving SOAP request!

It appears that the Teradici Firmware is expecting content in certain fields of the Certificate, and GoDaddy is not providing them in this case. In fact when you upload the godaddy cert to the teradici management appliance they look incomplete compared to a verisign, as you can see in the image below

After a bit of research I've found that this is a known issue with the 4.x release of the PCoIP firmware. You can find the KB article here. The issue is not limited to just Godaddy Certs, a VMware Community article found here shows others having this issue with other cert vendors. The community article also contains the fix, which is opening a ticket with Teradici Support. Apparently the only way to resolve this is using a Release Candidate of the next firmware revision.

No comments:

Post a Comment