Failed to refresh public api access token using refresh token: Encountered error trying to refresh public api access token using refresh token: Cannot read property 'id' of undefined"
search cancel

Failed to refresh public api access token using refresh token: Encountered error trying to refresh public api access token using refresh token: Cannot read property 'id' of undefined"

book

Article ID: 316020

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Encounter the below error when trying to update SDDC,
 

Retrieving all scheduled and in-progress bundles failed. Unable to retrieve aggregated LCM bundles: Encountered error requesting http://127.0.0.1/v1/upgrades api - Encountered error requesting http://127.0.0.1/v1/upgrades api - Encountered error trying to refresh public api access token using refresh token: Cannot read property 'id' of undefined

/var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log

======================================================================================
2022-07-12T14:36:03.938+0000 ERROR [common,9b73587bba4741e8,38a7] [c.v.e.s.i.s.services.PscServiceImpl,http-nio-127.0.0.1-7100-exec-3] Unable to fetch user & groups from saml token
java.lang.RuntimeException: The SAML token signature validation failed!
        at com.vmware.evo.sddc.identity.sso.services.PscServiceImpl.validateSamlToken(PscServiceImpl.java:481)
        at com.vmware.evo.sddc.identity.sso.services.PscServiceImpl.getSamlMetaData(PscServiceImpl.java:440)
        at com.vmware.evo.sddc.identity.services.IdentityServiceImpl.getTokenPair(IdentityServiceImpl.java:115)
        at com.vmware.evo.sddc.identity.rest.api.controller.v1.TokenController.createToken(TokenController.java:72)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

/var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log

======================================================================================
 [common,685de16d58f7c91c3f18c683e35e61a8,9813] [o.b.jsse.provider.PropertyUtils,http-nio-127.0.0.1-7100-exec-8] Found string system property [java.home]: /usr/lib/jvm/openjdk-java17-headless.x86_64
2025-06-27T00:10:21.625+0000 INFO  [common,685de16d58f7c91c3f18c683e35e61a8,9813] [o.b.jsse.provider.PropertyUtils,http-nio-127.0.0.1-7100-exec-8] Found string system property [java.home]: /usr/lib/jvm/openjdk-java17-headless.x86_64
2025-06-27T00:10:21.631+0000 INFO  [common,685de16daeefdb1509d7f3930c9b5c55,1a2b] [c.v.v.s.c.i.X509TrustChainKeySelector,http-nio-127.0.0.1-7100-exec-1] Failed to find trusted path to signing certificate <CN=ssoserverSign>
java.security.cert.CertPathBuilderException: Unable to find certificate chain.
        at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source)

Environment

VMware Cloud Foundation 4.x
VMware Cloud Foundation 5.x

Cause

Multiple STS certificates in the vCenter's SSO domain. The additional STS certificate is generally from a linked Cloud vCenter. VCF uses the last certificate to validate the SAML token. So when VCF goes to validate the SAML token it encounters an un trusted STS certificate which causes the error in SDDC.

Refer to the following KB to check the existing STS certs:

Checking Expiration of STS Certificate on vCenter Servers

Resolution

  1. SSH into the Management vCenter with root

  2. Run the vCert script, "vCert - expired certificate replacement script"

    Option 3. Manage certificates
    Option 7. STS signing certificates
    Restart the services on the MGMT vCenter

  3. SSH into the SDDC manager with vcf user and then elevate to root

  4. Restart the services on the SDDC manager. 

    /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

 

Powered by Wolken Software