Vulnerability scan reports "Please install a server certificate signed by a trusted third-party Certificate Authority" on port 9080
search cancel

Vulnerability scan reports "Please install a server certificate signed by a trusted third-party Certificate Authority" on port 9080

book

Article ID: 319995

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

  • Vulnerability scan on port 9080 on ESXi host may report "Please install a server certificate signed by a trusted third-party Certificate Authority"
  • An inconsistency is observed with the certificate observed on port 443 and 9080. 

Environment

VMware vSphere 8.x
VMware vSphere 7.x
 

Cause

  • The IO Filter on the ESXi host is not correctly registered with the Host Certificate.

The cause can be verified with the following steps :

1. Visit the host URL ( https://esxi-ip-or-fqdn ) on a browser and view the certificate 
2. Visit https://esxi-ip-or-fqdn:9080/version.xml and view the certificate on the browser. 

If both certificates are different, we may confirm that the IO Filter certificate is not registered with the Host certificate. 

Alternative way : 

Run the following commands on an SSH session ( vCenter /  ESXi host ) : 

For port 443
openssl s_client -connect esxi-ip-or-fqdn:443 | openssl x509 -noout -fingerprint 

For port 9080:
openssl s_client -connect esxi-ip-or-fqdn:9080| openssl x509 -noout -fingerprint 

The output should look similar to : 
depth=1 CN = CA, DC = vsphere, DC = local, C = US, ST = California, O = vc.domain.local, OU = VMware Engineering
verify return:1
depth=0 C = US, ST = California, L = Palo Alto, O = VMware, OU = VMware Engineering, CN = esxi.domain.local, emailAddress = [email protected]
verify return:1
DONE
SHA1 Fingerprint=85:6F:36:32:1C:3F:C8:xx:xx:xx:xx:xx:xx:BE:8F:52:3F:D8:78:FE

  • You are using self signed certificates
     

Resolution

  1. Verify that the host is using a custom certificate. (If the host is using self signed certificate, you can create custom certificates for the ESXi host(s)  Configuring CA signed certificates for ESXi hosts or you can Download and install vCenter Server root certificates to avoid web browser certificate warnings)
  2. Refresh the IO Filter provider certificate with the following command

    /usr/lib/vmware/iofilter/bin/iofvp-ctrl-app -r

  3. Verify that the certificate retrieved from both URLs are the same using the steps from the cause section.

Additional Information

Alarm for Registration/unregistration of third-party IO filter storage providers fails
https://knowledge.broadcom.com/external/article/313921 

Impact/Risks:

The IO Filter certificate will be registered with the host's certificate. The IO Filter provider will start using the custom certificate from the host instead of the previously used certificate.

Powered by Wolken Software