Symptoms:
The certificate replacement task fails with errors similar to below in the SDDC UI:
500 Internal Server Error: "{"type":"com.vmware.vapi.std.errors.error","value":{"error_type":"ERROR","messages":[{"args":["Unexpected data detected in stream"],"default_message":"Exception found (Unexpected data detected in stream)","id":"com.vmware.certificatemanagement.error"}]}}" Error Message: Failed to replace certificate for myvCenter.acme.com due to: 500 Internal Server Error: "{"type":"com.vmware.vapi.std.errors.error","value":{"error_type":"ERROR","messages":[{"args":["Unexpected data detected in stream"],"default_message":"Exception found (Unexpected data detected in stream)","id":"com.vmware.certificatemanagement.error"}]}}" Remediation Message: Reference Token:
Cause:
SDDC Manager: /var/log/vmware/vcf/operationsmanager/operationsmanager.log:
2022-05-04T10:08:40.659+0000 DEBUG [vcf_om,5feb9d47bd8f4c1b,3338] [c.v.v.c.s.f.i.CertificateOperationsFacadeImpl,http-nio-127.0.0.1-7300-exec-6] DomainCertificateOperation: {"workflowId":"3e15e9e9-d5fb-4fb4-aa58-9d824cdfa54a","domainName":"EUC-WLD","operationType":"REPLACE_CERTIFICATE","operationStatus":"*****","
resourceCertificateOperations":[{"resource":{"hostName":"<vCenter FQDN>","resourceType":"vcenter","master":false},"result":{"status
":"FAILED","message":"{\"code\":\"CERTIFICATE_REPLACEMENT_FAILED_WITH_ERROR\",\"args\":[\"*****\",\"500 Internal Server Error: [{\\\"type\\\":\\\"com.vmware.
vapi.std.errors.error\\\",\\\"value\\\":{\\\"error_type\\\":\\\"ERROR\\\",\\\"messages\\\":[{\\\"args\\\":[\\\"Unexpected data detected in stream\\\"],\\\"de
fault_message\\\":\\\"Exception found (Unexpected data detected in stream)\\\",\\\"id\\\":\\\"com.vmware.certificatemanagement.error\\\"}]}}]\"]}"},"creation Timestamp":1651658707878,"updateTimestamp":1651658860269}]}
The upload of the myDomain.tar.gz file may well succeed but the implementation of the certificate will fail within a few minutes.
This issue can be caused by extraneous words/strings/characters in the rootca chain.
For example, when reviewing the Root CA certificate chain in Notepad you see the following:
-----BEGIN CERTIFICATE-----MIIEeTCCA2GgAwIBAgIQZcZHmdw+nBf5XyAxYS0AkzANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxKzApBgNVBAoTIkhld2xldHQgUGFja2FyZCBFbnRlcnByaXNlIENvbXBhbnkxIDAeBgNVBAsTF0luZnJhc3RydWN0dXJlIFNlcnZpY2VzMTMwMQYDVQQDEypIZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZSBQcml2YXRlIFJvb3QgQ0EwHhcNMTUwNDIzMDAwMDAwWhcNMjUwMzE1MjM1OTU5WjCBkDELMAkGA1UEBhMCVVMxKzApBgNVBAoTIkhld2xldHQgUGFja2FyZCBFbnRlcnByaXNlIENvbXBhbnkxIDAeBgNVBAsTF0luZnJhc3RydWN0dXJlIFNlcnZpY2VzMTIwMAYDVQQDEylIZXds
-----END CERTIFICATE-----\n
"root cert":"subject=CN=My Company Intermediate CA,OU=My Company Intermediate CA,
O=ACME Ltd\nissuer=My Company Root CA\n
-----BEGIN CERTIFICATE-----BBYEFJD5ROug+pPblhqlQrD9wTOgPiQ9MB8GA1UdIwQYMBaAFIOA+h+k1dppMXlvmi58m3VRBv1IMA0GCSqGSIb3DQEBCwUAA4IBAQAOCW0adHMxuis4pafpyeckc9Z2SCFMWyyoVJp0zTybWQaxCT+TmbzCd4aPCor/aUUCKzwaEYg/ca9ioe39h0FFa8yK8X0E1/8NcxEBOxHnWNoGQ60rV3V9X04nSK/cB+2ihg8pD3ziIsP2O8Hd3ZzyItzPeRejsI5lLf/HUXrD4vA1UdIwQYMBaAFIOA+h+k1dppMXlvmi58m3VRBv1IMATmbzCd4aPCor/aU
0uyjWYPeRejsI5lLf/HUXrD4vBsSzd+MP+rNSj4ubCUsYJIJ6NEmRxvHibv+UFnk9BzmamPKg7wvM23l3cPZu7Wctl5pNQH3E+l6yuBffrghLVpgA8kF+gzKVD/+oCmnvqCGvwgZ9SFBBqW/Sz+NcenC2nGZFOVfLp7I9NlpYrvhJaYowuWhN3hzLQvl
-----END CERTIFICATE-----
The text in RED is sometimes included in certificate chains as a descriptor and does not affect the reading of the cert in cryptoshell.
However, such text will cause the certificate replacement to fail on the vCenter side.
NOTE: There may be other forms of text, numbers, etc...
Edit the certificate chain and remove the extra lines. The chain should look something like below:
-----BEGIN CERTIFICATE-----MIIEeTCCA2GgAwIBAgIQZcZHmdw+nBf5XyAxYS0AkzANBgkqhkiG9w0BAQsFADCBkTELMAkGA1UEBhMCVVMxKzApBgNVBAoTIkhld2xldHQgUGFja2FyZCBFbnRlcnByaXNlIENvbXBhbnkxIDAeBgNVBAsTF0luZnJhc3RydWN0dXJlIFNlcnZpY2VzMTMwMQYDVQQDEypIZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZSBQcml2YXRlIFJvb3QgQ0EwHhcNMTUwNDIzMDAwMDAwWhcNMjUwMzE1MjM1OTU5WjCBkDELMAkGA1UEBhMCVVMxKzApBgNVBAoTIkhld2xldHQgUGFja2FyZCBFbnRlcnByaXNlIENvbXBhbnkxIDAeBgNVBAsTF0luZnJhc3RydWN0dXJlIFNlcnZpY2VzMTIwMAYDVQQDEylIZXds
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----BBYEFJD5ROug+pPblhqlQrD9wTOgPiQ9MB8GA1UdIwQYMBaAFIOA+h+k1dppMXlvmi58m3VRBv1IMA0GCSqGSIb3DQEBCwUAA4IBAQAOCW0adHMxuis4pafpyeckc9Z2SCFMWyyoVJp0zTybWQaxCT+TmbzCd4aPCor/aUUCKzwaEYg/ca9ioe39h0FFa8yK8X0E1/8NcxEBOxHnWNoGQ60rV3V9X04nSK/cB+2ihg8pD3ziIsP2O8Hd3ZzyItzPeRejsI5lLf/HUXrD4vA1UdIwQYMBaAFIOA+h+k1dppMXlvmi58m3VRBv1IMATmbzCd4aPCor/aU
0uyjWYPeRejsI5lLf/HUXrD4vBsSzd+MP+rNSj4ubCUsYJIJ6NEmRxvHibv+UFnk9BzmamPKg7wvM23l3cPZu7Wctl5pNQH3E+l6yuBffrghLVpgA8kF+gzKVD/+oCmnvqCGvwgZ9SFBBqW/Sz+NcenC2nGZFOVfLp7I9NlpYrvhJaYowuWhN3hzLQvl
-----END CERTIFICATE-----