Steps to repair K2 certificates

 

Overview of K2 Certificates and Configuration Service

K2 uses several certificates critical for its operations. Starting with version 5.3, the introduction of the K2 Configuration Service added the requirement for additional certificates to run correctly. These certificates are typically installed automatically during K2 installation. However, corruption or improper installation can occur, causing issues such as the K2 Configuration Service failing to start with certificate-related errors in the logs.

When such issues arise, the recommended approach is to perform a repair process to regenerate the necessary certificates.

Step-by-Step Instructions to Repair K2 Certificates

  1. Backup the K2 Database

    • Before any modification, ensure a full backup of the K2 database is taken to prevent data loss.

  2. Access the K2 Server

    • Log in to the K2 server using the K2 service account credentials.

  3. Open Microsoft Management Console (MMC)

    • Launch mmc.exe.

    • Add the following snap-ins:

      • Certificates (Local Computer)

      • Certificates (Current User)

  4. Locate and Delete Target Certificates

    • Navigate to these certificate stores:

      • Personal > Certificates

      • Trusted Root Certification Authorities > Certificates

    • In both locations, delete certificates matching:

      • Issued To: "Environment Owner", Issued By: "K2 On Premise Root"

      • Issued To: "K2 On Premise Root", Issued By: "K2 On Premise Root"

  5. Modify the K2 Database Configuration Table

    • Connect to the K2 database and run the following SQL commands to delete certificate-related entries:

    • sql
      DELETE FROM [HostServer].[Configuration] WHERE VariableToken = '[ROOT_CERT]'
DELETE FROM [HostServer].[Configuration] WHERE VariableToken = '[ROOT_CERT_THUMBPRINT]'
DELETE FROM [HostServer].[Configuration] WHERE VariableToken = '[ROOT_CERT_PWD]'
DELETE FROM [HostServer].[Configuration] WHERE VariableToken = '[CLIENT_AUTH_CERT]'
DELETE FROM [HostServer].[Configuration] WHERE VariableToken = '[CLIENT_AUTH_CERT_THUMBPRINT]'
DELETE FROM [HostServer].[Configuration] WHERE VariableToken = '[CLIENT_AUTH_CERT_PWD]'
DELETE FROM [HostServer].[Configuration] WHERE VariableToken = '[MICRO_SSL_CERT_THUMBPRINT]'
DELETE FROM [HostServer].[Configuration] WHERE VariableToken = '[MICRO_SSL_CERT]'
DELETE FROM [HostServer].[Configuration] WHERE VariableToken = '[MICRO_SSL_CERT_PWD]'
UPDATE [HostServer].[Configuration] SET VariableValue = 'true' WHERE VariableToken = '[SERVICEUSERCHANGED]'

    • This clears old or corrupted certificate data to enable fresh regeneration.

  2. Run K2 Setup Manager

    • Start the Setup Manager and select the ‘Configure’ option.

    • This will trigger the regeneration and reinstallation of the necessary certificates as part of the service configuration.

Additional Notes and Recommendations

  • Certificate Validation Utility

    • K2 includes a tool named CertificateManager.exe (found in the K2 installer or the K2Setup folder) which can validate and repair certificates.

    • However, due to known issues with past versions of the CertificateManager utility, including difficulty in tracking compatible versions, it is recommended to avoid using this tool for repairing certificates unless specifically advised by Nintex support.

  • Best Practices

    • Always ensure certificates are installed under the Local Computer personal certificate store, as this is the supported scenario.

    • Do not manually delete certificates outside of the documented MMC and database method to avoid orphaned or inconsistent certificate states.

    • Regularly verify services after repair, checking logs for residual certificate errors.

This optimized approach ensures a clean and supported process to repair the K2 Configuration Service certificates and should minimize errors related to corrupted or missing certificates.

Comments

Post a Comment

Popular posts from this blog

Blocking Error during K2 5.6 Server migration

  Error Encountered: Error during K2 5.6 migration to a new machine, keeping the SQL server unchanged. Error message:                       20:49:59:>> Certificates.FindCertificate: Found 1 certificates                       20:49:59:>> RegisterShard.Execute: Adding additonal connection string parameters to config service shard                       20:49:59:>> AdditionalConnectionStringParameters.AmendSQLConnectionString: Additional connection string parameter value: empty                       20:49:59:>> AdditionalConnectionStringParameters.AmendSQLConnectionString: Additional ConnectionString Parameters is empty                       20:50:04:>> AnalyzableAction.PopulateValidate...
Read more

Client Credentials flow with K2 Cloud with Odata, Workflow REST or SCIM

Image
This guide outlines the steps to using the Client Credentials Flow for accessing Nintex K2 Cloud's OData, Workflow REST, or SCIM APIs. Before you begin: Ensure your environment is eligible for Client Credentials Flow by contacting Nintex support ( https://customer.nintex.com/cases/Pages/default.aspx ). Have a SHA256 hash of the client secret of your choosing ready. Steps: Onboarding: Open a support ticket with Nintex requesting the onboarding of the Client Credentials Flow for your environment. Provide the SHA256 hash of your the client secret. https://help.nintex.com/en-US/k2cloud/userguide/current/Content/IdProviders/ClientCredentials.htm You can Generate the secret hash from a Client Secret value in a .NET console application. The onboarding team does not need the actual secret value, only the hash of it. Use the following steps and code example to generate the hash: Add the  IdentityModel  NuGet package. Add the  IdentityModel  library reference in the ...
Read more

Blocking error RegisterServiceInstanceObjects when upgrading to K2 5.6/5.7

K2 5.7 Upgrade Error: Blocking Issue with Orphaned Service Instances Error Message:             07:30:39:>> AuthorizationBase.RegisterServiceInstanceObjects: Current ServiceType and ServiceInstance details: ServiceType.Guid = GUIDValue1. ServiceInstance.Guid = GUIDValue2 . ServiceInstance.Name = ServiceInstanceName             07:30:39:>> ConnectionHelper.GetServerInstance: Create 'AuthorizationClient' instance using ConnectionContext             07:30:39:>> AuthorizationBase.RegisterObject: Validate Parent             07:30:39:>> AuthorizationBase.Execute: Logged Error: Failed: System.Exception: Item 'GUIDValue1' does not exist    at SourceCode.Install.Package.Actions.Authorization.AuthorizationBase.RegisterObject(String name, Guid id, Guid parentID, Guid classID, String className, Boolean inherit, Boolean propagate, IIdentityReferenc...
Read more