"Server certificate chain is not trusted and thumbprint verification is not configured" upgrading external SSO Server to vSphere 6.5 PSC
book
Article ID: 315241
calendar_today
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
Symptoms:
When upgrading an external Single Sign-On Server to a vSphere 6.5 Platform Services Controller, appliance does not migrate the intermediate SSL certificate.
Stage 2 of the upgrade fails with this error:
The SSL certificate does not match when connecting to the vCenter Single Sign-On. com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumnprint verification is not configured
In the VMware-VCS-logs-Date/vcsUpgrade/cmfirstboot.py_####_stdout.log file, you see entries similar to:
2016-11-28T18:17:11.798Z [main DEBUG com.vmware.vim.vmomi.client.common.impl.LoggingFilterOutputStream] Logging request to '/var/log/vmware/cm/firstboot/cmcli-vlsi-exchange.log-0000.log' 2016-11-28T18:17:12.068Z [main DEBUG com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager] Server certificate chain is not trusted sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ... Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ... 2016-11-28T18:17:12.075Z [main DEBUG com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager] Server certificate chain not verified for Certificate: [ ... 2016-11-28T18:17:12.085Z [main WARN com.vmware.cis.services.cm.service.util.LsUtils] Call to lookup service failed; uri:https://<FQDN>/lookupservice/sdk [com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint verification is not configured]
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Cause
This issue occurs when you upgrade by exporting only the root CA cert into the cert chain file instead of appending both intermediate and root CA certs to this file.
Resolution
This issue is resolved in VMware vCenter Server Appliance 6.5 b.