Citrix XenCenter error “Could not create SSL/TLS Secure Channel”

XenCenter error

Running the following commands will fix the XenCenter Error. You are typically encountering this error because Windows 10 requires stronger encryption, consequently, this is prevalent on older XenServer installations. I encountered this on XenServer 6.0.

Commands

  • Putty in using SSH
  • service xapissl stop
  • mv /etc/xensource/xapi-ssl.pem /etc/xensource/xapi-ssl.pem.bak
  • /opt/xensource/libexec/generate_ssl_cert "/etc/xensource/xapi-ssl.pem" '10.100.0.40'
  • service xapissl start
  • xe-toolstack-restart

Where you see 10.100.0.40 this is the IP of your XenServer that you are connecting to (not VM ips). Once you run this it reissues the cert and you will be able to properly connect. I’ve seen this on Windows 10 Systems since they force the higher level encryption, however,  If this doesn’t resolve the XenCenter error let me know.

Leave any Questions and Comments below and I will get back to you. I regularly publish on YouTube, Steemit, and christitus.com so if you’d like to see more videos and articles click the subscribe button in the top right.

7 Comments

  1. Scott Farwell

    I have a pool with 4 x 5.5.2 servers. Everyone could connect fine using Xencenter a few months ago, then I upgraded my PCs to Win10 and haven’t been able to connect to the 5.5.2 servers but 5.6.1 and above work fine.
    last week another user running Win7 reported the same issue on Xencenter 6.2.
    Today a different Win7 user reported their 6.2 isn’t connecting.

    I have a remote user running 6.5.x and his works fine still.

    I performed these steps a few weeks ago on an active pool but I did not perform the xe-toolstack restart as I wanted to schedule it. A storm last week took everything down as power was out for an hour. When things came back up we had the same problem but everybody had to accept a new SSL when they connected to the pool master.

    Not sure where to go from here as a forklift upgrade of the pool is waiting on resources to back it all up and upgrade some hardware at the same time.

    1. Chris Titus

      Upgrade all your servers to 6.5 with the latest rollups. Obviously, do this on a weekend or when the servers are not in heavy production. There is no reason to be running 5.5.2 servers, it is just plain dangerous being that far out of date. I know how stressful this is and as the lead on this project and the only person at my company that deals with XenServer, I always make sure to have an active Citrix Support Contract prior to doing any major updates. Their support is by far the best technical support I have ever received in my career.

      One thing I would try if you just want to muddle along is uninstall XenCenter on your Win10 machines, type the IP of the pool master and download the OLD XenCenter from it. It is possible that the newer version of XenCenter are properly seeing those old XenServers.

      1. Scott Farwell

        Fixed the problem by doing the steps above AFTER changing the /opt/xensource/libexec/generate_ssl_cert to generate a 2048 bit key.
        Windows doesn’t allow 512 bit keys anymore on win7 on up due to recent windows update security enhancements..

        This older version kept generating new 512 bit keys so my problem wasn’t fixed until I changed the script to make 2048 bit keys and re-keyed all of the servers in my pool. (The master would have been enough)

        1. Mickael Diot

          Hi Scott,

          How did you manage changing encryption key in the script ?
          Thanks
          Mickael

          1. Mickael Diot

            Hi,

            Ok I found :

            I modified /opt/xensource/libexec/generate_ssl_cert file, and changed “openssl genrsa > privkey.rsa
            ” by “openssl genrsa 2048 > privkey.rsa”

            Best regards

  2. Matt

    I fixed this problem by deleting the Xencenter folders in c:\users\%username%\appdata\roaming\

    Much easier than generating a new cert. I did that the first time, but the problem re-occurs periodically and I don’t remember where I found this other solution, but it has worked a few times now.

    1. Chris Titus

      Yeah, its a windows 10 issue so it will keep coming back unless you issue a new cert. You can just load a windows 7 VM and run XenCenter from that if you don’t want to mess with the host. I did this on a host in production with no downtime, so I’d just update the cert and do a toolstack restart.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: