Symptoms:

• Configuring the vCenter Server authentication source in vRealize Orchestrator fails.
• You see this error:
  
  Failed with Error ! An error occurred while retrieving the Single Sign-On token from; https://vcenter/lookupservice/sdk
   
• In the controlcenter logs, you see entries similar to:
  
  2017-06-20 10:29:53.776+0000 [https-jsse-nio-8283-exec-2] ERROR [ConfigureAuthProvider] [<UUID_1>] Register authentication error: authentication: Authentication: state = CONNECTED, url = https://xx.xx.xx.xx/lookupservice/sdk , certificateAlias = vco.vsphere.lookup-service.ssl.certificate, username = <username@domain>, password = ******, importCertificates = false, configureLicences = true, certificate = [TrustedEntity [id=vco.vsphere.lookup-service.ssl.certificate, [Certificate-Thumbprint1], TrustedEntity [id=imported:xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx, [Certificate-Thumbprint3], TrustedEntity [id=imported:xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxx, [Certificate-Thumbprint2], service provider host = https://XX.XX.XXX.XXX:8283 Sso Authentication: ssoUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@258c72f6 , stsUrlEndpoint = com.vmware.vcac.componentregistry.
  rest.stubs.EndPoint@258c72f6 , adminUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@2df8d253 , ssoSslAlias = vco.sso.ssl.certificate, authenticationTokenType = saml, clientId = null, clientSecret = , adminGroup = null, adminGroupDomain = null, defaultTenant = vsphere.local, ssoClockTolerance = 300, tokenLifetimeInSeconds = 7776000, ssoTokenRenewCount = 5 com.vmware.vim.sso.admin.exception.CertificateValidationException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint doesn't match
  at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.execute(VmomiClientCommand.java:112)
  at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringNoDomainError(VmomiClientCommand.java:217)
  at com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl.createServiceContent(AdminClientImpl.java:334)
  at com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl.<init>(AdminClientImpl.java:107)
  at com.vmware.vim.sso.admin.client.vmomi.VmomiClientFactory.createAdminClient(VmomiClientFactory.java:64)
  at com.vmware.vim.sso.admin.client.vmomi.VmomiClientFactory.createAdminClient(VmomiClientFactory.java:54)
  at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.getTrustedCerts(SsoAdminClientFactoryImpl.java:298)
  at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.aquireToken(SsoAdminClientFactoryImpl.java:275)
  at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.createSSOAdminClient(SsoAdminClientFactoryImpl.java:259)
  at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.registerWithSSO(SsoAdminClientFactoryImpl.java:86)
  at com.vmware.o11n.configuration.authentication.services.SamlAuthenticationServiceAdapter.register(SamlAuthenticationServiceAdapter.java:89)
  at com.vmware.o11n.configuration.authentication.services.SsoAuthenticationService.register(SsoAuthenticationService.java:202)
  at com.vmware.o11n.configuration.authentication.ConfigureAuthProvider.register(ConfigureAuthProvider.java:597)
  at com.vmware.o11n.configuration.authentication.ConfigureAuthProvider.update(ConfigureAuthProvider.java:236)
  at com.vmware.o11n.controlcenter.authentication.AuthenticationController.updateWizzard(AuthenticationController.java:169)
  at com.vmware.o11n.controlcenter.authentication.AuthenticationController$$FastClassBySpringCGLIB$$337aef2c.invoke(<generated>)
  
  Caused by: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
  at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.handleHandshakeException(ThumbprintTrustManager.java:511)
  at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:361)
  at com.vmware.vim.vmomi.client.http.impl.VlsiSslSocketFactory.verifyHostname(VlsiSslSocketFactory.java:129)
  
  Caused by: javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

The problem occurs in any of these situations:

• When replacing the machine SSL certificate on an embedded deployment.
• When replacing the machine SSL certificate on the Platform Services Controller in an installation with an external Platform Services Controller.
• When replacing the machine SSL certificate on a vCenter Server system in an installation with an external Platform Services Controller.
• This issue is caused when SSO uses one certificate while in lookupservice to be registered another.

1. Extract the old certificate from your vCenter Server system or Platform Services Controller for later use.
2. Perform the certificate replacement, either by using the Certificate Manager utility or by running certificate management CLI commands.
3. Run the ls_update_certs script, passing in the old certificate and new certificate.

• vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller (2121689)
• vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller (2121701)