Importing a newly created STS cert chain fails with an error: A vCenter Single Sign-On error occurred
search cancel

Importing a newly created STS cert chain fails with an error: A vCenter Single Sign-On error occurred

book

Article ID: 322814

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • After creating a new sts signing certificate chain as per Generate a New STS Signing Certificate on the Appliance, importing the certificate chain using the Web Client fails
  • You see the following error on the Web Client:   "A vCenter Single Sign-On error occurred"
  • The sts certificate is in the correct pk12 format


Environment

VMware vCenter Server Appliance 6.5.x

Cause

In an upgraded vCenter Server, the old sts cert is retained in the STS_INTERNAL_SSL_CERT store. The documentation Generate a New STS Signing Certificate on the Appliance expects that the MACHINE_SSL_CERT will be used when creating the sts cert but instead the creation process references the MACHINE_CERT in the STS_INTERNAL_SSL_CERT store.

Resolution

To solve the issue follow the steps given below:
  1. Obtain the current rootCA cert:  /usr/lib/vmware-vmca/bin/certool --getrootca --cert=/tmp/cacert.crt
  2. Save this as cacert.crt on the appliance at your desired location; /tmp/ is provided in the above command as an example.
  3. Replace the sts_internal_ssl_cert with the machine cert from the MACHINE_SSL_CERT store. Implement the commands below as you see them one by one:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > ~/machine.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT > ~/machine.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > ~/sts_internal_backup.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > ~/sts_internal_backup.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert ~/machine.crt --key ~/machine.key

       4. Create the new sts cert. The document Generate a New STS Signing Certificate on the Appliance assumes that the cert at  /etc/vmware-sso/keys/ssoserverRoot.crt is the same as the rootca. But  when you are on an upgraded as opposed to a newly deployed vCenter Server Appliance, they can be different. So, when going through Generate a New STS Signing Certificate on the Appliance  again to create the new sts cert, replace /etc/vmware-sso/keys/ssoserverRoot.crt with <path>/cacert.crt wherever you see it in the opnssl commands
       5. Now when importing the  root-trust.jks as per Refresh the Security Token Service Certificate it should succeed.
       6. Restart all vCenter and PSC services
       7. Delete the old sts signing certs from the web client

Additional Information

Impact/Risks:
Ensure you Snapshot the vCenter Server Appliance. If you have external replicating PSCs, shut them all down and snapshot all nodes including vCenter node.