Error: "Your connection is not private" NET::ERR_CERT_AUTHORITY_INVALID when accessing vCenter Server after Machine SSL certificate renewal
Article ID: 322297
Updated On:
Products
Issue/Introduction
Symptoms:
When you use the vSphere Client to run [Renew] operation for the Machine SSL Certificate, restart services, and then connect to the vCenter Server again, your Web browser displays a message similar to:
- There is a problem with this website's security certificate
- The connection is not private
- This connection is untrusted
- ERR_CERT_AUTHORITY_INVALID
- NET:ERR_CERT_AUTHORITY_INVALID
Clearing the browser cache or cookies does not resolve the issue.
When you use Certificate Manager Option 3 (KB How to use vSphere Certificate Manager to Replace SSL Certificates), you do not hit the issue.
Additional symptoms reported:
|
Renewed the MACHINE_SSL_CERT certificate, and now cannot access vCenter through the UI “Certificate(s) in VECS TRUSTED_ROOTS store has expired KB 385107" |
Cause
The [Renew] operation for Machine SSL Certificate on vSphere Client (HTML 5) does not generate the full certificate chain for the Machine SSL Certificate.However, Certificate Manager Option 3 does generate the full certificate chain for the SSL certificate.
Resolution
Follow the steps from the section: "Active Directory Group Policy Update in Deployments with VMCA as an Intermediate Certificate Authority: in the Knowledgebase Article Download and install vCenter Server root certificates to avoid web browser certificate warnings.
That section will add the VMCA intermediate certificate into Intermediate Certification Authorities of the client machines.
Feedback
