Import the vCenter root certificate into the SDDC manager TrustStore
search cancel

Import the vCenter root certificate into the SDDC manager TrustStore

book

Article ID: 316007

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

If the vCenter root certificate is not published to the SDDC Manager truststores, you may encounter the following errors:

  • Unable to see utilization details in the SDDC UI.
  • Unable to commission hosts.
  • Unable to add hosts into clusters.
  • Unable to log in to the SDDC UI.

You may see exception traces in the commonvsvc log (/var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log) within the SDDC Manager:

YYYY-MM-DDTHH:MM:SS ERROR [common,52343a2f26ac349f,6b2b] [c.v.v.i.sync.utils.VcSyncManagerUtil,cs-exec-3] Error connecting to vCenter vcenter-1, with exception {} com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:250) at com.vmware.vim.vmomi.client.http.impl.HttpExchange.run(HttpExchange.java:51)

The SDDC Manager GUI may display a blank screen with an error message similar to the following:

{"message":"500 - \"{\\\"errorCode\\\":\\\"IDENTITY_INTERNAL_SERVER_ERROR\\\",\\\"arguments\\\":[],\\\"message\\\":\\\"Identity Internal Server Error\\\",\\\"referenceToken\\\":\\\"ABC123\\\"}\""}

Environment

  • VMware Cloud Foundation 4.x
  • VMware Cloud Foundation 5.x

Cause

The vCenter root certificate has changed and the SDDC Manager is still referencing the old root certificate. This can occur when option 8 is run in the certificate manager utility on vCenter.

Resolution

Scripted Process

Upload the VcRootCaSync.py script to the SDDC Manager, and run the script as the root user:

python VcRootCaSync.py

Expected Output:

/home/vcf ]# python VcRootCaSync.py
Please provide SSO administrator user[[email protected]]:
Provide password for [email protected]:
Available vCenter Servers:
[1] ACTIVE | vcsa1.example.com
[2] ACTIVE | vcsa2.example.com

        Select a vCenter server by entering the corresponding number: 1
        Selected vCenter: vcsa1.example.com

         Session token created successfully
         Root certificate saved to /tmp/root.cer

vCenter vcsa1.example.com Root Certificate Found:
-----BEGIN CERTIFICATE-----
MIIDETCCAfmgAwIBAgI***************************ANBgkqhkiG9w0BAQsFADAb

-----END CERTIFICATE-----

         Using randomly generated Alias: abc-def-vcsa1_RootCrt_EA0G

         vCenter Root certificate added to SDDC Manager trust stores.
         Refreshing certificate store
         Deleting root certificate from temp

Manual Process

  1. SSH into the vCenter server and get the root certificate.
  2. If you are using the default certificate, use the following command: 
    /usr/lib/vmware-vmca/bin/certool --getrootca --cert=/tmp/root.cer
  3. If you are using a custom root certificate: 
    /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store trusted_roots
  4. Copy the root certificate to the temp directory on the SDDC Manager. 
    vi /tmp/root.cer to create an empty file with vi.

Press i to enter insert mode.

Paste the body of the certificate into the root.cer file.

Press esc to exit insert mode.

Type wq! and hit enter to write your changes to the file and exit the vi editor.
  5. Obtain the trusted certificates key by issuing the following command: 
    pass=$(cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key)
  6. Import the certificate into the trusted_certificates_store with the keytool. 
    keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass <trust store key>

    Example:

    keytool -importcert -alias new_mgmt_root -file /tmp/root.cer -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $pass
  7. Import the certificate into the cacerts store. 
    keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit

    Example:

    keytool -importcert -alias new_mgmt_root -file /tmp/root.cer -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit
  8. Verify the new certificate has been successfully added. 
    keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $pass | less
  9. Refresh the trusted certificates using the API from the SDDC Manager. 
    curl -X POST localhost/appliancemanager/trustedCertificates/refresh

Workaround

If the SDDC UI is accessible, you can also import the root certificate from API Explorer.

  1. Convert the root certificate on the vCenter into single-line PEM format and copy the output. 
    awk 'NF {sub(//, ""); printf "%s\\n",$0;}' /tmp/vmca.crt

    For example:

    root@vcenter-1 [ ~ ]# awk 'NF {sub(//, ""); printf "%s\\n",$0;}' /tmp/vmca.crt
-----BEGIN CERTIFICATE-----
<certicate..............>
-----END CERTIFICATE-----\n
  2. Navigate to the API Explorer in the SDDC UI and input the certificate and certificateUsageType. 
    API Explorer > APIs for managing Trusted Certificates > POST
    • Input the certificate in one line PEM format in the certificate field.
    • Input TRUSTED_FOR_OUTBOUND into the certificateUsageType field.

  3. Click Execute.

Additional Information

Attachments

VcRootCaSync get_app
Powered by Wolken Software