[2018-01-11T14:34:17.915-06:00] [ERROR] data-service-pool-665 70000430 100010 200002 com.vmware.utils.ssl.ThumbprintTrustManager Server certificate chain is not trusted and thumbprint doesn't match
[2018-01-11T14:34:17.931-06:00] [ERROR] http-bio-5090-exec-6 70000430 100010 200002 com.vmware.vise.mvc.servlets.GlobalExceptionResolver Exception handled: com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Server certificate chain is not trusted and thumbprint doesn't match
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment. Certificate change on the vCenter that did not update in the platform service controller managed object browser.
Refer to below mentioned Knowledge Base article for more details.
vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller (2121689)
https://knowledge.broadcom.com/external/article/322835
1. Follow the KB that matches the PSC deployment type:
vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with an External Platform Services Controller (2121701)
https://knowledge.broadcom.com/external/article/320707
vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller (2121689)
https://knowledge.broadcom.com/external/article/322835
2. After the lookupservice trust anchors have been validated and corrected as needed validate the VECS store has the leaf certificate for the MACHINE_SSL_CERT
store __MACHINE_SSL
alias. This would become a chain certificate from some upgrade paths.
Validation:
# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT
Backup the Certificate and Key:
Export the certificate.
# /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output ~/entry__MACHINE_CERT-getcert.txt
Export the private key.
# /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output ~/entry__MACHINE_CERT-getkey.txt
Copy certificate leaf:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
. Save this to the file leaf_MACHINE_CERT.pem
.# openssl x509 -in ~/leaf_MACHINE_CERT.pem -noout -text
# openssl pkey -in ~/entry__MACHINE_CERT-getkey.txt -pubout -outform pem | sha256sum
# openssl x509 -in ~/leaf_MACHINE_CERT.pem -pubkey -noout -outform pem | sha256sum
If validation is correct proceed, else troubleshoot any errors and mismatches regenerating certificates as needed.
Recreate the entry in the VECS store:
# service-control --stop --all
# service-control --start vmafdd
# service-control --start vmdird
# service-control --start vmcad
# /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
# /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert ~/leaf_MACHINE_CERT.pem --key entry__MACHINE_CERT-getkey.txt
# service-control --stop --all
# service-control --start --all
Refer to below links for more related information:
Managing Services and Certificates With CLI Commands
vecs-cli Command Reference
Unable to see any content in the vCenter VIC Plugin UI #299