VMware Horizon and vCenter Server Certificate Issue

After upgrading the vCenter server for Horizon you may find that the vCenter Server tab on the dashboard of VMware Horizon Administrator would turn red and would present with a certificate issue. Upon checking the vCenter Server option under View Configuration tab you may get the message that the certificate is untrusted and will present you with an option to either accept or reject the certificate. Once we accept the certificate, we may get the message, “There was an error identifying the validity of the server”.

To fix the issue you can follow the below set of steps:

  1. Use a web browser that uses the operating certificate store on Windows (Such as Internet Explorer or Google Chrome).
  2. From the browser go to the base URL of the vCenter Server system or the vCenter Server Virtual Appliance without appending the port numbers or ‘vsphere-client’ extension. For example: https://vcenter.domain.com/
  3. Direct URL to download the vCenter server certificate can also be used which is https://vCenter_FQDN/certs/download.zip
  4. Right Click the download trusted root CA certificate link at the bottom of the grey box on the right and select save link as. This will prompt you to download a file called ‘download.zip’.
  • The file is a ZIP file of all root certificates and all CRLs in the VMware Endpoint Certificate Store (VECS).
  • Extract the contents of the ZIP file.
  • The result is a folder that contains two types of files. Files with a number as the extension (.0,.1 and so on) are root certificates. Files with an extension that starts with an r ( .r0,.r1 and so on) are CRL files associated with a certificate.

Next is to add the certificates on all the Connection Servers in VMware Horizon environment.

  1. RDP to the Connection server.
  2. Open the MMC Certificates Snap-in for Local Computer Account.
  3. Click Trusted Root Certificate Authority, Certificates folder and then Right Click > All Tasks >Import.
  4. In the Welcome Screen to the Certificate Import Wizard, Click Next.
  5. Browse and select the vCenter Certificates which you downloaded in the steps mentioned above.
  6. Select automatically select the certificate store based on the type of the certificate and click next.
  7. Complete the Certificate Import Wizard.
  8. The certificates should be imported to the root cert store successfully.
  9. After the process has been completed on all the connection servers, the servers need to be rebooted.
  10. Reboot the connection servers as per the KB: https://kb.vmware.com/s/article/2068381.
  11. Once the Connection server have been rebooted and services have been restarted verify the vCenter certificate in VMware Horizon Administrator Console.

VMware Horizon Virtual Desktops in Error State

I had a customer with VMware Horizon 7.0.2 desktop pools with desktops that were stuck with errors while recomposing. We were seeing the error message : “View Composer Error: Failed to delete VM – null” on the Desktop Machines in VMware Horizon View Administrator.

To fix the issue I had to manually delete the Virtual machines from vCenter inventory and then clean up the VMware Horizon database. Once that was achieved, VMware Horizon re-provisioned the machines. The re-provisioned machines were available for users to access.

The below command can be used to clean up machines in error state in VMware Horizon View Administrator.

The tool I used was viewdbchk which was introduced with Horizon View 6.2. The viewdbchk file is located in the installation of Horizon View directory in the VMware Horizon View Connection servers. The location is : “Installation Drive”\Program Files\VMware\VMware View\Server\tools\bin directory.

  • viewdbchk.cmd –scanMachines –limit 10

When the command was run, It scanned the desktops pools one by one for any machines in “Error” state and prompted if I wanted to delete the machines. A simple “yes” helped and we were able to delete the machines from VMware Horizon Admin console.

There are other ways also to fix the same issue but I found this to be the simplest one as it scanned the machines for errors in the environment.

The command would ask you to disable the desktop pool, scan for the machines in error state and will ask you if you want to enable the desktop pool again. If you do not want to scan a particular pool you can always type “no” when message appears to disable the desktop pool. If you type “no” it will skip that pool and move on to the next pool.

I hope this was helpful.