Jump to content


Photo

SHA256 certificate for storefront backend breaks NS load-balanced vserver

Started by MIKE MORRISON , 22 February 2016 - 07:13 PM
7 replies to this topic

MIKE MORRISON Members

MIKE MORRISON
  • 24 posts

Posted 22 February 2016 - 07:13 PM

Configuration:

StoreFront 2.6 web server installed on Windows 2012

NetScaler 11.0 64.34.nc

Load-balanced vServer configured on NetScaler pointing to StoreFront server.

 

The certificate installed on my StoreFront 2.6 web servers recently expired. When I replaced the certificate on the server, my load-balanced vserver stopped working--attempting to access the page in IE or Chrome eventually results in a time-out. The old expired certificate was issued as an SHA-1 certificate; the new one is SHA256 (all the way up the cert chain). Firewall logs show that the connection is being reset by the StoreFront server, and the Windows System event log is filled with schannel 36888 and 36874 TLS-related errors. If I bind the expired certificate to the StoreFront web site, it all starts working again.

 

So far, all of my Citrix forum and Google searches for a solution have been in vain. I've looked at the following discussions:

https://discussions.citrix.com/topic/371939-https-monitor-ciphers/.

https://discussions.citrix.com/topic/368750-netscaler-11-6210-outlook-anywhere-broken/.

https://discussions.citrix.com/topic/370640-cipher-list-for-ns11-to-load-balanced-storefront-30-on-win20121-r2/.

 

All seem to have similar issues similar, but nothing indicated in them corrects the issue. Has anyone else experienced similar issues and found a solution? Thanks.

 

Mike Morrison



Carl Stalhood CTP Member

Carl Stalhood
  • 11,444 posts

Posted 22 February 2016 - 07:30 PM

Maybe http://support.citrix.com/article/CTX205578

Ross Bender Members

Ross Bender
  • 107 posts

Posted 22 February 2016 - 07:32 PM

Perhaps check what SSL protocol you are using. I believe TLS 1.0 and 1.1 were added in SF 3.0.1 but I'm not sure about 2.6.



MIKE MORRISON Members

MIKE MORRISON
  • 24 posts

Posted 22 February 2016 - 07:57 PM

I tried disabling TLS 1.1 and 1.2 in the service through the GUI, as I had a similar problem with communications to back-end Sharefile servers in the past. I just tried disabling those for the service I have configured using the command-line "set ssl service <servicename> -tls11 DISABLED -tls12 DISABLED" and it didn't make any difference. I've also tried manually entering a cipher list on the service with no effect. I haven't tried disabling TLS 1.1 and 1.2 globally yet, but will try to get approvals to attempt that tomorrow.

Mike



Thomas Rolfs Members

Thomas Rolfs
  • 9 posts

Posted 20 May 2016 - 05:55 AM

Are you using a netscaler vpx?
I had a similar issue, in my case the problem was not sha256 but the key size of 4096 bit.
I changed the backend cert to a cert sha256 2048 key size and everything worked again

Jonathon Wiggins Members

Jonathon Wiggins
  • 14 posts

Posted 24 May 2016 - 07:29 PM

I have the same problem on NetScaler 5550 running v10.5 Safe Harbor code. Disabling TLS v1.2 and re-enabling it didn't resolve the problem. I have also recreated a new cipher group, but to no avail.

 

One thing that I got from Citrix Support is that it will require a reboot after disabling the TLS settings through the CLI. I'll post once we get a down time to try this.



Simon Constable Members

Simon Constable
  • 21 posts

Posted 28 November 2016 - 01:50 PM

I had a similar issue recently as well, the issue on my side was due to me using a VPX and its got a limitation of a 2048 private key, and i had given my IIS HTTPS service a 4096 private key, after performing a trace any checking the process in wireshark we found the error of unsupported certificate.

i changed the cert template to allow a 2048 private key and everything came back online.

cert info https://support.citrix.com/article/CTX206268 

hope this helps



Hugh Kelley Members

Hugh Kelley
  • 6 posts

Posted 14 March 2017 - 03:05 PM

I have the same problem on NetScaler 5550 running v10.5 Safe Harbor code. Disabling TLS v1.2 and re-enabling it didn't resolve the problem. I have also recreated a new cipher group, but to no avail.

 

One thing that I got from Citrix Support is that it will require a reboot after disabling the TLS settings through the CLI. I'll post once we get a down time to try this.

 

Jonathon,  did you ever find a resolution for your configuration?    We have a similar issue, swapped out our cert keeping identical key size, signature algorithm, and CA, yet the new cert causes IIS to log an SChannel error.    TLS 1.2 is already disabled on the back end connection.