"error 2 at 1 depth lookup: unable to get issuer certificate." while replacing the certificates
search cancel

"error 2 at 1 depth lookup: unable to get issuer certificate." while replacing the certificates

book

Article ID: 320211

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Issue while replacing the certificates for vCenter.
  • Running the certificate-manager to change the certificates fails with an error:
error 2 at 1 depth lookup: unable to get issuer certificate at 0 %
  • In the certificate-manager.log file, entries similar to the following will appear:

YYYY-MM-DDTHH:MM:SS.SSSZ INFO certificate-manager Command executed successfully
YYYY-MM-DDTHH:MM:SS.SSSZ INFO certificate-manager Certificate backup created successfully>
YYYY-MM-DDTHH:MM:SS.SSSZ INFO certificate-manager Running command :- ['D:\\Program Files\\VMware\\vCenter Server\\/openSSL/openssl.exe', 'verify', '-CAfile', 'D:\\CSR\\Vcenter_certificate2\\ROOT.cer', 'D:\\CSR\\Vcenter_certificate2\\Machine_SSL.cer']
YYYY-MM-DDTHH:MM:SS.SSSZ INFO certificate-manager Command output :- >
D:\CSR\Vcenter_certificate2\Machine_SSL.cer: DC = group, DC = essilor, DC = asia, CN = asia-SGDC1CERT001P-IssuingCA
error 2 at 1 depth lookup:unable to get issuer certificate

YYYY-MM-DDTHH:MM:SS.SSSZ ERROR certificate-manager D:\CSR\Vcenter_certificate2\Machine_SSL.cer: DC = group, DC = essilor, DC = asia, CN = asia-SGDC1CERT001P-IssuingCA
error 2 at 1 depth lookup:unable to get issuer certificate

Environment

  • VMware vCenter Server Appliance 6.7.x
  • VMware vCenter Server Appliance 6.5.x

Resolution

To resolve this issue:
 

  • Check if the Certificate Chain is complete and contains the full chain which looks similar as below:
----BEGIN CERTIFICATE-----
[SECONDARY INTERMEDIATE CERTIFICATE]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[PRIMARY INTERMEDIATE CERTIFICATE]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[ROOT CERTIFICATE]
-----END CERTIFICATE-----
  • Use openssl to double check the issuer and the subject field of a given certificate
echo " ----BEGIN CERTIFICATE----- [SECONDARY INTERMEDIATE CERTIFICATE] -----END CERTIFICATE-----" | openssl x509 -in /dev/stdin -noout -text | grep -i "subject\|issuer" echo " ----BEGIN CERTIFICATE----- [PRIMARY INTERMEDIATE CERTIFICATE] -----END CERTIFICATE-----" | openssl x509 -in /dev/stdin -noout -text | grep -i "subject\|issuer" echo " ----BEGIN CERTIFICATE----- [ROOT CERTIFICATE] -----END CERTIFICATE-----" | openssl x509 -in /dev/stdin -noout -text | grep -i "subject\|issuer"
*Remember to change the command in order to reflect the information from the environment.
  • For the "SECONDARY INTERMEDIATE CERTIFICATE" the Issuer should be the Subject of the "PRIMARY INTERMEDIATE CERTIFICATE"
  • For the "PRIMARY INTERMEDIATE CERTIFICATE" the Issuer should be the Subject of the "ROOT CERTIFICATE"
  • For the "ROOT CERTIFICATE" the Issuer should be the Subject of the "ROOT CERTIFICATE"
  • If this is not the case there is one or more certificate missing and the files received by the CA should be double checked.

Note: In most of the cases, the intermediate cert or root CA is affected.

Additional Information

"error 20 at 0 depth lookup:unable to get local issuer certificate" when replacing Machine SSL or Solution user certificate with custom certificate

Powered by Wolken Software