Products

VMware vCenter Server

Issue/Introduction

This document describes the possible precheck failures that can occur during the vCenter registration process on Cloud Gateway and provides information to address them.

Symptoms:
vCenter Server registration to Cloud Gateway fails with error message

Environment

VMware vCenter Server 8.0.x
VMware vCenter Server 7.0.x

Cause

Checks on the vCenter certificate will be performed during vCenter registration on vCenter Cloud Gateway. These check covers the most common operations that depend on the validity of the vCenter server certificate to establish a TLS connection between the gateway and vCenter. This precheck can fail due to some issues in vCenter configurations or some other network problems.

Resolution

The VC registration page will produce the following error messages when the VC certificate precheck fails

Error Message	Description	Known Issues	Resolution
The vCenter Management Interface is not using the machine SSL certificate for the vCenter Server appliance	The gateway detects that the SSL certificate used during the handshake with vCenter's Appliance Management Interface (VAMI, port 5480) didn't match the vCenter's SSL certificate from port 443	After changing the vCenter's SSL certificates, the VMware Appliance Management Interface (VAMI) accessed through Port 5480 (https://<VC_FQDN>:5480 does not use the new SSL certificate yet.	Please follow 2. "Resolving VMware Appliance Management Interface (VAMI) certificate issue " to validate and resolve the issue.
		The issue can happen if there is a proxy configured between Cloud Gateway (GW) and vCenter that intercepts the certificate.	Please follow 1. "Resolving proxy issues " to resolve issues related to the proxy.
Inconsistent vCenter server certificate thumbprint during registration	During vCenter registration, the gateway detects that the SSL certificate thumbprint obtained during the SSL handshake differs from the initial certificate thumbprint value provided by VC registration UI	The issue can happen if there is a proxy configured between GW and vCenter that intercepts the certificate	Please follow 1. "Resolving proxy issues " to resolve all issues related to the proxy.
Inconsistent vCenter certificate in the lookup service	During vCenter registration, the gateway failed to connect to VC service using the provided certificate thumbprint	The issue can happen if there is a proxy configured between GW and vCenter that intercepts the certificate.	Please follow 1. "Resolving proxy issues " to resolve all issues related to the proxy.
vCenter server TLS certificate doesn't match to TLS certificate obtained from the certificate management service	The vCenter TLS certificate obtained from the SSL handshake between GW and vCenter doesn't match the vCenter server TLS certificate obtained from the certificate management service.	The issue can happen if there is a proxy configured between GW and vCenter that intercepts the certificate.	Please follow 1. "Resolving proxy issues " to resolve all issues related to the proxy.
Failed to obtain the certificate management service	During vCenter registration, the gateway failed to get the service endpoint of the vCenter Certificate management service.	Configuration issue in the service registration	Please follow the procedure in 3. "Resolving issues in the Lookup service " to address this issue.
The certificate management service is unreachable	During vCenter registration, the gateway failed to connect to the vCenter certificate management service endpoint	This indicates an intermittent network issue. Please retry the VC registration after a while	This typically will not happen since all the operations prior to this had worked normally.
The certificate management service is unreachable		Configuration issue in the service registration	Please follow the procedure in 3. "Resolving issues in the Lookup service " to address this issue.
Failed to validate certificate used by certificate management service	The validation of the certificate used by the certificate management service endpoint failed. SSL connection to the endpoint couldn't be established due to this.	Configuration issue in the service registration. The certificates in the endpoint's sslTrust must contain the correct certificates to validate the endpoint certificate during the SSL handshake.	Please follow 3. "Resolving issues in the Lookup service " to address this issue.
Failed to validate vCenter server certificate	The validation on the VC server certificate using the trusted root CA failed.	Some root certificates might be missing in the trust store of the GW. This can happen if some certificate operations in the past might have accidentally removed the required root certificate from the trust store.	Since the root CA certificates are pushed to the GW Trust store during VC certificate update/replace, please try to replace or update the GW Trust store again to resolve the issue. Please refer to 4. "Replacing vCenter certificate " for the procedure.
Failed to verify vCenter hostname in the vCenter server certificate	The validation on the VC server certificate using trusted root CA certificates provided by the certificate management service failed. The validation failure is not in certificate chain validation but in the hostname verification.	The certificate doesn't contain the Common Name or Subject Alternative Name extension that matches the VC hostname used to register on the gateway.	Please register vCenter on the gateway using VC FQDN that matches the vCenter's SSL certificate's SAN entry. If the VC needs to be registered using an IP address, then ensure that the certificate contains a SAN entry with this IP address. If the certificate's SAN doesn't contain the required entry (FQDN or IP address), please follow the procedure in 4. "Replacing vCenter certificate " to replace the vCenter certificate with the required information.

Solutions

1. Resolving proxy issues

1.1. Validating no proxy between Cloud Gateway (GW) and vCenter

There should be no proxy between GW and vCenter. If a proxy is set on the GW, all vCenters need to be excluded from the proxy.

You also can check the setting manually from the command line.

Login into the GW machine
Validate that HTTPS_PROXY is not set in /etc/sysonfig/proxy config file.
If it is set, then ensure that all vCenter hostnames to be registered are covered in the NO_PROXY list.
Additionally, check that the settings are applied in the environment variable using the following command:
env | grep -i proxy

1.2. Detecting transparent proxy with certificate interception

Even if no proxy is set on the GW, there are some cases where a transparent proxy exists between the gateway and vCenter. If the proxy intercepts certificates sent by vCenter during an SSL handshake, the gateway may be unable to validate the vCenter certificate properly. If you're not sure whether a transparent proxy is intercepting SSL connections between GW and vCenter, please use the following procedure to detect the proxy existence:

Login into the vCenter server, and get the certificate thumbprint using the following command:
openssl s_client -connect localhost:443 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -noout openssl s_client -connect localhost:5480 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -noout
Login into the gateway, and obtain the VC certificate thumbprint from the SSL handshake using the following command:
openssl s_client -connect <VC_FQDN>:443 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -noout openssl s_client -connect <VC_FQDN>:5480 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -noout
If the thumbprints from the commands above are different, then there is a transparent proxy that intercepts certificates between the gateway and vCenter server.

To resolve the issue with a transparent proxy, all vCenter servers must be whitelisted and excluded from certificate interception. Please contact your network administrator to apply the settings.

2. Resolving VMware Appliance Management Interface (VAMI) certificate issue

2.1. Checking if VAMI is using a different SSL certificate

Login into the vCenter server
Get certificate thumbprints by performing an SSL connection with ports 443 and 5480
openssl s_client -connect localhost:443 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -noout
openssl s_client -connect localhost:5480 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -noout
If the certificate thumbprints don't match, continue to 2.2 to resolve the issue.

2.2. Updating VAMI certificate

Please follow the procedure in the following KB document to update the VAMI certificate:

VAMI does not display the new certificate after changing vCenter Server Appliance 6.x certificates

3. Resolving issues in the Lookup service

The various type of misconfiguration in the service registration in the lookup service may cause failure in the VC registration precheck. Typically, a misconfiguration of the hostname part in endpointUrl and the certificates in sslTrust from the service endpoint are causing the precheck issue. Please use the lsdoctor tool described in the following KB document to detect and fix these configuration issues.

Using the 'lsdoctor' Tool

4. Replacing vCenter certificate

4.1. Certificate issued by 3rd party CA

Follow the KB document to replace the vCenter certificate signed by 3rd party CA.

Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate

Notes:

Use the vCenter FQDN in the "Name" and "Hostname" when generating Certificate Signing Request (CSR)
If vCenter needs to be registered using an IP address, ensure to provide the correct IP address in the "IPAddress" question.

4.2. Certificate issued by VMware Certificate Authority

You can use the following KB document to regenerate the vCenter certificate issued by VMCA.

Replacing the vSphere 6.x Machine SSL certificate with a VMware Certificate Authority issued certificate