Fixing SSL error when accessing XenServer after KB3175024 update [EN]

 We’ve been using Citrix’s XenServer at work for probably 6 years now (originally Citrix, now it is Open Source and not run by them). But we were too lazy to upgrade to the newest version. Because it is time consuming and would take lots of effort to migrate current machines. But mostly, we were lazy 🙂 So, we are still on 5.6 version (i think). This month Microsoft has released a Windows update KB3175024, which probably made all certificates using less than 1024 bits of encryption not secure and made apps trying to access services, which were still using such certificates, go bonkers. So, trying to access our XenServer from a Windows application XenCenter resulted in a TLS\SSL error. Windows Event Log also was collecting useless Schannel errors (yeah, errors just giving some random numbers are very useful). XenServer is using 512 bits keys by default (and from what i have gathered browsing Xen forums, even newest versions are affected by this). Combining tips from several sources i have compiled a little guide to overcome this issue. On a plus side, this made me use SSH (to access our XenServer) and refresh my Linux cmd skills a bit 🙂

You can do this directly in XenServer console by launching Local Shell (if you have a monitor attached to it) or via SSH session. If SSH is not enabled, you can turn it on in Remote Service Configuration > Enable/Disable Remote Shell.

Once you are logged as root on your XenServer, edit your certificate’s generation script with a text editor (nano is usually installed by default):

nano /opt/xensource/libexec/generate_ssl_cert

In this script find the line:

openssl genrsa > privkey.rsa

And change it to:

openssl genrsa 1024 > privkey.rsa

Close the file saving it with the same name on top of the existing one.

Now remove the old certificate:

rm /etc/xensource/xapi-ssl.pem

Press Y and Enter to confirm deletion.

Now run the script to generate a new certificate and restart the Xapi service, which is responsible for remote management of virtual machines on the host (this is one line of command):

/opt/xensource/libexec/generate_ssl_cert /etc/xensource/xapi-ssl.pem $(hostname) && /etc/init.d/xapi restart

Try accessing your XenServer from the XenCenter again. It should show a warning that certificate has changed. Press Accept. You should be able to access your host now.

5 thoughts to “Fixing SSL error when accessing XenServer after KB3175024 update [EN]”

  1. Thank you so much. This is the exact issue I had. After browsing for hours, this solution hit the nail on its head. Issue resolved instantly. Thank you so much again 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *