This is a known issue affecting all VCF 4.x releases and will be resolved in a future release.
Workaround:
To workaround this problem, please either use the attached fixCertRetrust.sh script or follow the steps below in Option 2.
Option 1:
- Download the fixCertRetrust.sh script.
- Using a file transfer utility, like WinSCP, copy the file to /tmp/ on the the vCenter appliance.
- Open an SSH session to the vCenter appliance/
- Change the permssions on the file:
chmod +x fixCertRetrust.sh
- Run the script:
sh fixCertRetrust.sh
Option 2:
- Open an SSH session to the vCenter appliance with the root user.
- Get the trusted root certificates list
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert list --login administrator@<domain>
- Take a backup of all the certificates; using the IDs the output from step 1
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id <ID> --outcert trustedCert_x.crt
- If there is no new line added after 64th character, execute:
sed -i -e "s/.\{64\}/&\n/g" trustedCert_x.crt
- Verify the backed up certificate:
openssl x509 -text -in trustedCert_x.crt
- Proceed to unpublish certificate from vmdir if the backup was successful:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert trustedCert_x.crt
- Initiate VECS store refresh to delete the unpublished certificate from the VECS store
/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
- Publish the backed trusted root certificates back to vmdir
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert trustedCert_x.crt
- Verify if the certificate has been added:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
- Initiate VECS store refresh to add the published certificate to vecs.
/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh
- Verify VECS TRUSTED_ROOTS store entries:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text