"SSLVerifyFault" error observed during a cross vCenter Server operation performed using Cloud Director
book
Article ID: 325685
calendar_today
Updated On:
Products
VMware Cloud Director
Issue/Introduction
VM based operations where the source and destination vCenter Server are not the same fail.
The following operations fail.
Move a VM
Clone a VM
Move a vApp
Clone a vApp
Instantiate a template to an Org vDC backed by a different vCenter.
You will see the following error when logged in as a System Administrator com.vmware.vim.binding.vim.fault.SSLVerifyFault
Environment
VMware Cloud Director 10.x
Cause
This issue occurs when there is no trust existing between the source and destination vCenter Servers. It is most likely to occur in environments where the vCenter Server is using a certificate that is not signed by a well-known Certificate Authority (CA) such as using an internal CA.
This is as a result of additional security enhancements made in Cloud Director 10.4.1 and higher versions. For information on pre-existing enhancements, see KB 78885.
Resolution
To resolve the issue, you will need to ensure that both the source and destination vCenter Servers trust the certificate of the other vCenter Server.
You can either:
Regenerate the vCenter Server Certificates to have them both signed by a well known Certificate Authority (CA).
Alternatively, you can force trust by exporting the vCenter Server certificate from vCenter A and importing it into the Truststore of vCenter B, and repeating that process going in the other direction.
The certificates of vCenter A can be downloaded by navigating to the URL: http://vCenter-A.example.com/certs/download.zip
Extract the zip file and examine the contents.
Files with the extension .0, .1 and so on are root certificates.
Files with .r0, .r1 and so on are the Certificate Revocation Lists (CRL’s).
Only the root certificates files are required for this process.
Login to vCenter Server B as an administrator and navigate to "Administration > Certificates > Certificate Management".
Click the ADD button beside "Trusted Root Certificates" and proceed to import all the root certificates from vCenter A which you identified in step b.
Repeat the steps a-d for vCenter B and import to trusted root certificates from vCenter B to vCenter A.