"Server certificate chain is not trusted and thumbprint verification is not configured" upgrading external SSO Server to vSphere 6.5 PSC
Article ID: 315241
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- When upgrading an external Single Sign-On Server to a vSphere 6.5 Platform Services Controller, appliance does not migrate the intermediate SSL certificate.
- Stage 2 of the upgrade fails with this error:
The SSL certificate does not match when connecting to the vCenter Single Sign-On.
com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumnprint verification is not configured
- In the VMware-VCS-logs-Date/vcsUpgrade/cmfirstboot.py_####_stdout.log file, you see entries similar to:
2016-11-28T18:17:11.798Z [main DEBUG com.vmware.vim.vmomi.client.common.impl.LoggingFilterOutputStream] Logging request to '/var/log/vmware/cm/firstboot/cmcli-vlsi-exchange.log-0000.log'
2016-11-28T18:17:12.068Z [main DEBUG com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager] Server certificate chain is not trusted
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
2016-11-28T18:17:12.075Z [main DEBUG com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager] Server certificate chain not verified for Certificate: [
...
2016-11-28T18:17:12.085Z [main WARN com.vmware.cis.services.cm.service.util.LsUtils] Call to lookup service failed; uri:https://<FQDN>/lookupservice/sdk [com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint verification is not configured]
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Cause
This issue occurs when you upgrade by exporting only the root CA cert into the cert chain file instead of appending both intermediate and root CA certs to this file.
Resolution
This issue is resolved in VMware vCenter Server Appliance 6.5 b.
Additional Information
- See if entries similar to: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
- vmware-vapi-endpoint fails to start or crashes after upgrading to vCenter Server 6.5 Update 2
- vAPI Endpoint service fails to start. vCenter 6.5
- "Error [500] SSO error: com.vmware.vim.vmomi.core.exception...." occurs when VMware VAPI Endpoint service fails to start
Feedback
Yes
No
Powered by
