Pre-check error message "Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain" during vCenter Server upgrade/ update
Article ID: 312124
Updated On:
Products
Issue/Introduction
vCenter Server upgrade pre-check shows below error message
Verification of the machine SSL certificate failed due to an invalid trusted root certificate chain. ERROR: [2, 2, 'unable to get issuer certificate'] . Unable to find the root certificate with the subject '<X509Name object '/C=US/ST=#####/L=#####/O=######.com, Inc./CN=#######'>'
Environment
VMware vCenter Server
Cause
This issue is primarily caused due to invalid Machine SSL certificate chain that is incomplete. However, it can also be caused due to a missing PNID. Which you can check by running vCert Option 1. Check current certificate status. It's likely the PNID is not actually missing, but it is an error due to case mismatch between the vCenter PNID and the FQDN. For reference see article 314047.
Below example illustrates the use case where the CA certificate chain consists of one or more intermediate root certificates and how it forms a chain of trust with the Machine SSL certificate,
Machine ssl certificate (Signed by intermediate CA CertificateB)CertificateB (Signed by intermediate CA CertificateC)CertificateC (Signed by Self-signed RootCertificate)RootCertificate (Trust anchor)
If any of the intermediate CA certificate .i.e. either CertificateB or CertificateC or RootCertificate is missing, then chain of trust is broken and the verification of the chain will fail.
Resolution
To resolve the missing CA certificate issue, import the missing CA certificate into the TRUSTED_ROOTS store on vCenter Server.
The pre-check error will contain the subject of the missing CA certificate as shown below:Unable to find the root certificate with the subject 'X509Name object '/C=US/ST=#####/L=#####/O=######.com, Inc./CN=#######''
The certificate can be imported using any of below methods :
- Using vSphere Client : Add a Trusted Root Certificate to the Certificate Store
- Using CLI Utility : Add new certificates to the TRUSTED_ROOTS store via CLI
- Using vCert Script - vCert
- Option 3. Manage certificates > Option 3. CA certificates in VMware Directory > Publish CA certificate(s) to VMware Directory
To resolve the missing PNID issue, the Machine SSL certificate will need to be regenerated. Making sure the subject alternative name of the Machine SSL certificate contains the exact case of the current PNID of vCenter which can be found by running this command: /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost. The certificate can be regenerated using vCert, options 3. Manage certificates, then 1. Machine SSL certificate.
Additional Information
Sample steps to export the CA Certificate from local Windows Desktop:
Note: This is just an example to show how to export CA certificate from the Certificate Path based on issuer name ("Go Daddy Root Certificate Authority - G2" in this example).
- Open the Machine SSL of Certificate of vCenter Server from local Windows Desktop
- Click on Certificate Path tab, select the CA certificate to export and Click on View Certificate
- New window will open for the select CA certificate from the Certificate Path
- Select the Details tab of the CA Certificate and click on Copy to File
- Click Next on the new window to export the Certificate
- Select Base-64 encoded X.509 (.CER)
- Enter the Filename for the exported CA certificate and Click Next
- Click Finish to save the Certificate
Feedback
