"SSLVerifyFault" error observed during a cross vCenter Server operation performed using Cloud Director
search cancel

"SSLVerifyFault" error observed during a cross vCenter Server operation performed using Cloud Director

book

Article ID: 325685

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • VM based operations where the source and destination vCenter Server are not the same fail. 
  • The following operations fail.
    • Move a VM
    • Clone a VM
    • Move a vApp
    • Clone a vApp
    • Instantiate a template to an Org vDC backed by a different vCenter.
  • You will see the following error when logged in as a System Administrator
    com.vmware.vim.binding.vim.fault.SSLVerifyFault

Environment

VMware Cloud Director 10.x

Cause

This issue occurs when there is no trust existing between the source and destination vCenter Servers. It is most likely to occur in environments where the vCenter Server is using a certificate that is not signed by a well-known Certificate Authority (CA) such as using an internal CA.

This is as a result of additional security enhancements made in Cloud Director 10.4.1 and higher versions. For information on pre-existing enhancements, see KB 78885.

Resolution

To resolve the issue, you will need to ensure that both the source and destination vCenter Servers trust the certificate of the other vCenter Server.

You can either:

  1. Regenerate the vCenter Server Certificates to have them both signed by a well known Certificate Authority (CA).
  2. Alternatively, you can force trust by exporting the vCenter Server certificate from vCenter A and importing it into the Truststore of vCenter B, and repeating that process going in the other direction.
    1. The certificates of vCenter A can be downloaded by navigating to the URL: http://vCenter-A.example.com/certs/download.zip
    2. Extract the zip file and examine the contents.
      • Files with the extension .0, .1 and so on are root certificates.
      • Files with .r0, .r1 and so on are the Certificate Revocation Lists (CRL’s).
      • Only the root certificates files are required for this process.
    3. Login to vCenter Server B as an administrator and navigate to "Administration > Certificates > Certificate Management".
    4. Click the ADD button beside "Trusted Root Certificates" and proceed to import all the root certificates from vCenter A which you identified in step b.
    5. Repeat the steps a-d for vCenter B and import to trusted root certificates from vCenter B to vCenter A.