VIC Plugin in HTML5 Client Fails Thumbprint Validation
search cancel

VIC Plugin in HTML5 Client Fails Thumbprint Validation

book

Article ID: 315128

calendar_today

Updated On:

Products

VMware vCenter Server 6.0

Issue/Introduction

Symptoms:
  • The VIC plugin frame loads but none of the objects load within the plugin.
  • The actions show disabled.
  • In the logs on the vCenter vSphere-ui/logs/vsphere_client_virgo.log show similar to the following:
      [2018-01-11T14:34:17.915-06:00] [ERROR] data-service-pool-665  70000430 100010 200002 com.vmware.utils.ssl.ThumbprintTrustManager   Server certificate chain is not trusted and thumbprint doesn't match
      [2018-01-11T14:34:17.931-06:00] [ERROR] http-bio-5090-exec-6  70000430 100010 200002 com.vmware.vise.mvc.servlets.GlobalExceptionResolver   Exception handled:  com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Server certificate chain is not trusted and thumbprint doesn't match
    
    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment. 

Environment

VMware vSphere Integrated Containers 1.x
VMware vCenter Server 6.x

Cause

Certificate change on the vCenter that did not update in the platform service controller managed object browser. 

Refer to below mentioned Knowledge Base article for more details.

Resolution


 1.    Follow the KB that matches the PSC deployment type:

             vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with an External Platform Services Controller (2121701)
             https://knowledge.broadcom.com/external/article/320707  

             vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller (2121689)
             https://knowledge.broadcom.com/external/article/322835  

 2.  After the lookupservice trust anchors have been validated and corrected as needed validate the VECS store has the leaf certificate for the MACHINE_SSL_CERT store __MACHINE_SSL alias. This would become a chain certificate from some upgrade paths.

 Validation:

  1. Check the MACHINE_SSL_CERT store. This should be a single leaf certificate. If the store contains the chain certificate then this will need to be corrected.
    #  /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT

Backup the Certificate and Key:

  1. Export the certificate.

    # /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output ~/entry__MACHINE_CERT-getcert.txt
  2.  Export the private key.  

    # /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output ~/entry__MACHINE_CERT-getkey.txt

 

Copy certificate leaf:

  1. The certificate leaf is the top most certificate of the chain file. Use preferred text editor to the first certificate denoted by and including -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----. Save this to the file leaf_MACHINE_CERT.pem.
  2. Validate the certificate is correct. 
    # openssl x509 -in ~/leaf_MACHINE_CERT.pem -noout -text
  3. Validate public keys match. 
    # openssl pkey -in ~/entry__MACHINE_CERT-getkey.txt -pubout -outform pem | sha256sum  
    # openssl x509 -in ~/leaf_MACHINE_CERT.pem -pubkey -noout -outform pem | sha256sum

         
 If validation is correct proceed, else troubleshoot any errors and mismatches regenerating certificates as needed.

Recreate the entry in the VECS store:

  1. Stop all services and start only the vmaffdd, vmdird, vmcad services.
    # service-control --stop --all
    # service-control --start vmafdd
    # service-control --start vmdird
    # service-control --start vmcad
  2. Delete the existing entry.
    # /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
  3. Create a new entry of the same name pointing to the same key and leaf certificate.
    # /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert ~/leaf_MACHINE_CERT.pem --key entry__MACHINE_CERT-getkey.txt
  4. Stop start all services (Alternative reboot VCSA)
    # service-control --stop --all
    # service-control --start --all


Additional Information