If the vCenter root certificate is not published to the SDDC Manager truststores then the subsequent errors could occur.

• Unable to see utilization details in SDDC UI.
• Unable to commission hosts.
• Unable to add hosts into clusters.
• Unable to login to the SDDC UI.

Similar exception traces can be seen in commonvsvc log.

/var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log

2023-02-19T03:27:25.116+0000 ERROR [common,52343a2f26ac349f,6b2b] [c.v.v.i.sync.utils.VcSyncManagerUtil,cs-exec-3] 
Error connecting to vCenter vcenter-1, with exception {} com.vmware.vim.vmomi.client.exception.SslException: 
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: 
unable to find valid certification path to requested target at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:250) 
at com.vmware.vim.vmomi.client.http.impl.HttpExchange.run(HttpExchange.java:51)

Scripted process:

Upload the attached script VcRootCaSync.py to the SDDC Manager, and run the script as root user:

python VcRootCaSync.py

Manual Process:

• SSH into the vCenter server and get the root certificate

• If customer is using default certificate use the below command:

/usr/lib/vmware-vmca/bin/certool --getrootca --cert=/tmp/root.cer

• If customer is using a custom root certificate.

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store trusted_roots

• Copy the root certificate to the temp directory on the SDDC Manager.

vi /tmp/root.cer

• Obtain the trusted certificates key by issuing the following command

pass=$(cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key)

• Import the certificate into the trusted_certificates_store with the keytool.

keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass <trust store key>

example:

keytool -importcert -alias new_mgmt_root -file /tmp/root.cer -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $pass

• Import the certificate into the cacerts store.

keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit

example:

keytool -importcert -alias new_mgmt_root -file /tmp/root.cer -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit

• Verify the new certificate has been successfully added.

keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $pass  | less

• Refresh the trusted certificates using the API from the SDDC-Manager

curl -X POST localhost/appliancemanager/trustedCertificates/refresh

Workaround:

If the SDDC UI is accessible you can also import the root certificate from API Explorer.

• Convert the root certificate on the vCenter into single line PEM format and copy the output.

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /tmp/vmca.crt

For example:

 root@vcenter-1 [ ~ ]# awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' /tmp/vmca.crt
-----BEGIN CERTIFICATE-----
<certicate..............>
-----END CERTIFICATE-----\n

• Navigate to the API Explorer in the SDDC UI and input the certificate and certificateUsageType.

API Explorer > APIs for managing Trusted Certificates > POST

• Input the certificate in one line PEM format in the certificate field.
• Input "TRUSTED_FOR_OUTBOUND" into the certificateUsageType field.

• Execute.