Sitecore Analytics: The Certificate was not Found

One of the frequent challenges we face is the absence of Analytics data in the Sitecore Experience Profile. This issue can be quite frustrating, but there is a solution. In this blog post, I will delve into the reasons behind the "The certificate was not found" problem and explain how to resolve it using Azure Managed Cloud Service PaaS.

In this case, The very first step is analyzing logs on the CD and xConnect server. I have checked the xConnect Collection server's log and it seemed to stop, which suggested that there had been some issue with xConnect trying to collect the analytics data.

In this case, I have to look into the CD server. I found a lot of xDB-related errors in the CD server, with a similar stack trace as below.

Error: xDB unavailable when submitting contact

The nested error seems to suggest the error is related to the missing client certificate required for xConnect and xDB communication.

The amount of Submit Queue data in the CD server proves this. Any files in the Submit Queue folder in the CD server may indicate that analytics from the CD server were not flushed properly.

However, it seems that the connection string used for this certificate seems to be the root cause of the reported behavior.

I have verified the connection string and its thumbprint value, and it seems correct, I believe the StoreLocation should've been LocalMachine instead of CurrentUser.

Solution:

Our application has been deployed on Sitecore Managed Cloud Service, which utilizes Azure PaaS. We have replaced the Sitecore client certificate in Azure after or during the go-live process.

In the event of a client certificate expiration or replacement, it is necessary to update all references to that certificate. Reference: Replace a Sitecore client certificate in Azure.

Step 1: Update the certificate thumbprint:

Replace the value of the validateCertificateThumbprint key in the <wwwroot>\App_Config\AppSettings.config file:

<add key="validateCertificateThumbprint" value=" ****************************************" />

I have revised the validateCertificateThumbprint values in the app service listed below:

• mc-********-****-****-****-****-cortex-processing
• mc-********-****-****-****-****-cortex-reporting
• mc-********-****-****-****-****-ma-ops
• mc-********-****-****-****-****-xc-collect
• mc-********-****-****-****-****-xc-refdata
• mc-********-****-****-****-****-xc-search

Step 2: Support self-signed certificates:

I have confirmed the status of all XP service roles and Core roles, and it was noted that the AllowInvalidClientCertificate setting was already configured to be true.

Step 3: Update connections strings:

Following Sitecore's recommendation, the StoreLocation of all relevant connection strings should be changed to LocalMachine, and the thumbprint value updated.

I have implemented the above changes in the following app services:

• mc-********-****-****-****-****-cd
• mc-********-****-****-****-****-cm
• mc-********-****-****-****-****-ma-ops

Step 4: The conclusion of all three steps mentioned above should be verified in all app services:

• mc-********-****-****-****-****-cd
• mc-********-****-****-****-****-cm
• mc-********-****-****-****-****-cortex-processing
• mc-********-****-****-****-****-cortex-reporting
• mc-********-****-****-****-****-ma-ops
• mc-********-****-****-****-****-ma-rep
• mc-********-****-****-****-****-prc
• mc-********-****-****-****-****-xc-collect
• mc-********-****-****-****-****-xc-refdata
• mc-********-****-****-****-****-xc-search

Step 5: Further Investigation:

I have investigated more and found that we have different values set in the WEBSITE_LOAD_CERTIFICATES on CM App Service:

And different values we have in the assigned certificate:

Step 6: So further to resolve this issue I have performed the following steps:

1. I must modify the WEBSITE_LOAD_CERTIFICATES values with the assigned certificate thumbprint value.
2. The same thumbprint values need to be updated in all Server connection String.
3. Proceed to restart the App Service.

Conclusion:

1. The primary issue I have identified is a mismatch in the certificate thumbprint value between the Configuration and Connection String, which led to a "certificate not found" error.
2. By using the default certificate thumbprint for all thumbprint values in the configuration connection strings on all servers were functioning correctly.
3. Subsequently, We uploaded a domain (server) certificate to the CD server and updated the thumbprint values in both the configuration and connection strings on the CD server. This change resulted in the aforementioned error.
4. The expected thumbprint value used in the WEBSITE_LOAD_CERTIFICATE on all Sitecore and xConnect web apps is the xConnect client certificate above, however, my CD has mistakenly changed to the domain certificate thumbprint value in the configuration & connection strings.
5. The difference between the server (SSL or domain) certificate, used primarily for HTTPS in IIS, and the xConnect client certificate, used internally by Sitecore for authenticating xConnect communications. For more details, please review the article at Sitecore 9: xConnect Client and SSL Certificates Explained.
6. The alteration of the thumbprint value on the CD server led to an authentication mismatch in xConnect communications, which in turn caused analytics to fail.
7. With these points clarified, I recommend resolving the thumbprint mismatches in the configurations and the connection string.

Happy Sitecoreing 😊