Cloud Director portal fails to load in browser when certificate uses SHA-1 algorithm
search cancel

Cloud Director portal fails to load in browser when certificate uses SHA-1 algorithm

book

Article ID: 325684

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

Symptoms:

  • The Cloud Director portal fails to load in Chrome and Edge browsers after upgrade to version 10.5.1 or higher
  • Within the log file /opt/vmware/vcloud-director/logs/cell-runtime.log the following error is observed:

2024-01-30 13:03:54,095 | DEBUG  | pool-jetty-47       | HttpEngineStartupAction    | Handshake failed |
javax.net.ssl.SSLHandshakeException: No available authentication scheme
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:347)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:303)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:294)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:972)

Environment

VMware Cloud Director 10.5.1.x 

VMware Cloud Director 10.6 

Cause

Since Cloud Director version 10.5.1, PKIX is used as part of the HTTP Engine. This is a change to previous versions which used SunX509. PKIX enforces stricter policies. If the certificate chain in use in the environment contains a root CA certificate with SHA1 algorithms such as sha1WithRSAEncryption, then post upgrade/deployment the HTTP portal will fail to load in some browsers as it cannot be validated against the client's set of supported signature algorithms

Resolution

Cloud Director versions 10.5.1 and later do not accept certificates whose signature algorithms utilize SHA1 (e.g. sha1WithRSAEncryption). Ensure that none of the certificates in the certificate chain utilize SHA1 algorithms . If they do, then the certificates will need to be replaced with updated certificates which do not contain SHA1 algorithms. 

For additional information see the certificate management documentation here.

Note: As outlined in the above documentation link, the root certificate authority (CA) certificate is not required to be included within the PEM file. 

Workaround:

The following workarounds are available:

  1. The latest Firefox or Safari browsers seem not to be impacted by this issue.
  2. Within Chrome, set the "chrome://flags/#use-sha1-server-handshakes" flag to 'Enabled'. This option maybe not be available in the latest Chrome versions.

Note:

  • If the environment uses a loadbalancer then it may also have SSL handshake problems with Cloud Director as a result of this change and thus these workarounds may not be available to use. Within the loadbalancer logs you may see messages such as "SSL handshake failure" if this is occurring. 
  • If you encounter issues when navigating to Cloud Director via loadbalancer, please engage your local networking team and loadbalancer vendor