After renewing a ESXi Host Certificate, directly connecting to the host using browser gives non secure connection status
Article ID: 317560
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- The certificate is renewed, however, it's only trusted to the VMCA. As a result, the certificate is not trusted when accessing the host directly through a browser.
- Full certificate chain is not pushed to the ESXi host after renewing certificate (Host -> Certificates -> Renew Certificate).
Cause
This issue occurs because the first certificate is saved and all intermediate certificate (if any) are truncated.
Resolution
This issue is resolved in ESXi 6.7 Update 2, available at VMware Downloads.
Workaround:
For ESXi 6.7:
For ESXi 6.5:
Workaround:
For ESXi 6.7:
- SSH to the ESXi host.
- Make a backup of the rhttpproxy config file:
cp /etc/vmware/rhttpproxy/config.xml /etc/vmware/rhttpproxy/config.xml.bak
- Edit the file:vi /etc/vmware/rhttpproxy/config.xml
- Edit (what should be) line 77/78 (to remove the comment out):
<-- <keyStoreFile>/etc/vmware/ssl/castore.pem</keyStoreFile> -->
to
<keyStoreFile>/etc/vmware/ssl/castore.pem</keyStoreFile>
- Save the file.
- Restart the rhttpproxy service (or reboot the ESXi host):
/etc/init.d/rhttpproxy restart
- Confirm the ESXi host full certificate chain is present from the Host UI client.
For ESXi 6.5:
- SSH to the ESXi host.
- Make a backup of the rhttpproxy config file:
cp /etc/vmware/rhttpproxy/config.xml /etc/vmware/rhttpproxy/config.xml.bak
- Edit the file:
vi /etc/vmware/rhttpproxy/config.xml
- Find the following lines:
<ssl>
<!-- The server private key file -->
<privateKey>/etc/vmware/ssl/rui.key</privateKey>
<!-- The server side certificate file -->
<certificate>/etc/vmware/ssl/rui.crt</certificate>
</ssl>
<!-- The server private key file -->
<privateKey>/etc/vmware/ssl/rui.key</privateKey>
<!-- The server side certificate file -->
<certificate>/etc/vmware/ssl/rui.crt</certificate>
</ssl>
- Add the highlighted lines between the first <ssl> </ssl> section:
<ssl>
<!-- The server private key file -->
<privateKey>/etc/vmware/ssl/rui.key</privateKey>
<!-- The server side certificate file -->
<certificate>/etc/vmware/ssl/rui.crt</certificate>
<!-- Client-side CAFile verify location -->
<keyStoreFile>/etc/vmware/ssl/castore.pem</keyStoreFile>
</ssl>
<!-- The server private key file -->
<privateKey>/etc/vmware/ssl/rui.key</privateKey>
<!-- The server side certificate file -->
<certificate>/etc/vmware/ssl/rui.crt</certificate>
<!-- Client-side CAFile verify location -->
<keyStoreFile>/etc/vmware/ssl/castore.pem</keyStoreFile>
</ssl>
- Save the file.
- Restart the rhttpproxy service (or reboot the ESXi host):
/etc/init.d/rhttpproxy restart
- Confirm the ESXi host full certificate chain is present from the Host UI client.
Feedback
Yes
No
Powered by
