How to add an untrusted certificate to the truststores in VMware Cloud Foundations
Article ID: 316884
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
Symptoms:
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment
- You see messages similar to the following after running the /opt/vmware/sddc-support/sos --certificate-health command on the SDDC Manager Controller VM:
VCFCertHelper Result:
+-----------+---------------------------------------------------------------+------------+
| Component | Message | Status |
+-----------+---------------------------------------------------------------+------------+
| 1 | server certificate chains not found in truststores | WARNING |
+-----------+---------------------------------------------------------------+------------+
+-----------+---------------------------------------------------------------+------------+
| Component | Message | Status |
+-----------+---------------------------------------------------------------+------------+
| 1 | server certificate chains not found in truststores | WARNING |
+-----------+---------------------------------------------------------------+------------+
- You see messages similar tothe following after running the /opt/vmware/cert-mgmt/bin/vcfcerthelper --action verify-trust command on the SDDC Manager Controller VM:
WARNING: 1 server certificate chains not found in truststores
- You see messages similar to the following in /opt/vmware/cert-mgmt/logs/vcfcerthelper.log on the SDDC Manager Controller VM:
2018-03-21T20:25:05.137750: cct: verify cert with truststore err is
2018-03-21T20:25:05.138203: ERROR: cct: cert not trusted, error 18 at 0 depth lookup:self signed certificate
2018-03-21T20:25:05.138405: debug: cvt: cert chain is untrusted {'hosts': [u'vrops-master.vcf.local:443', u'vrops-replica.vcf.local:443', u'vrops-data-node-1.vcf.local:443'],
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment
Environment
VMware Cloud Foundation 2.3.x
Cause
The certificate self-signed and is not trusted by VMware Certificate Authority (VMCA) or SDDC Manager.
Resolution
Use the the following steps to add the untrusted certificate chain to the truststores:
- Run the following command to backup the truststores for vCenter Server, Platform Services Controllers, and SDDC Manager Controller VM.
/opt/vmware/cert-mgmt/bin/vcfcerthelper --action list-ca --cert_dir truststore-backup-day-1
- Run the following command to verify trust and save the results of the verify-trust command to the a1 directory:
- Each untrusted certificate will be located in file called servercerts_untrusted_#.pem under the "a1" directory
Note: There could be more than one servercerts_untrusted_#.pem file if you have more than one untrusted certificate.
- Run the following command to add the untrusted certificate to the truststores .
/opt/vmware/cert-mgmt/bin/vcfcerthelper --action trust-ca --trusted_ca_cert_chain servercerts_untrusted_#.pem
- Run the following command to check the certificate health.
/opt/vmware/sddc-support/sos --certificate-health
Feedback
Yes
No
Powered by
