HSTS errors are seen in the client browser when accessing the vRA VAMI when using self-signed certificates
Article ID: 325907
Updated On:
Products
VCF Operations/Automation (formerly VMware Aria Suite)
Issue/Introduction
- When accessing the VAMI URL on latest versions of Chromium based browsers (like Chrome, Edge) , an error complaining about self-signed certificate is encountered and cannot be proceeded further, similar to below:
- Firefox provides a way to add an exception but does complain with warnings similar to below:
vami_url_FQDN:5480 uses an invalid security certificate The certificate is not trusted because it is self signed. The certificate is not valid for the name vami_url_FQDN. Error cod:SEC_ERROR_UNKNOWN_ISSUER
- Internet Explorer 11 allows an option to continue on to the website but does not actually navigate to page and comes back to warning page.
Your PC doesn't trust this website's security certificate. The hostname in the website's security certificate differs from the website you are trying to visit. Error code:DLG_FLAGS_INVALID_CA DLG_FLAGS_SEC_CERT_CN_INVALID
Environment
VMware vRealize Automation 7.x
Cause
This issue occurs due the HSTS features being enabled by default in modern client browsers and attempting to navigate to a web site or URL that is using self-signed certificates that are not trusted by the browser.
Resolution
VMware recommends certifying all web interfaces on vRealize appliances with public CA certificates.
Workaround:
To work around this issue, use either of these options:
Option 1
- Replace the self-signed certificates with a public CA signed certificate that contains the fully qualified domain name of the VA hostname in the Subject Alternative Name field.
Note: See Step # 8 under the Solution section of vRealize Automation 7.x certificate process overview, common issues, and troubleshooting guidance
Option 2
- Disable HSTS in the Chrome or Edge browser.
- Disable browser cache.
- Type
chrome://net-internals/#hstsin the chrome oredge://net-internals/#hstsin case of Microsoft Edge - If present, remove the domain name of vRA for
Add HSTS/PKP domain. Click include sub-domains and check for both STS and PKP by putting the - If present, remove the domain name of vRA for
Add Expect-CT domain.
Option 3:
- Left click into the white space on the HSTS error page and type:
thisisunsafe
The page will reload and should allow access to the webpage.
Additional Information
In case the issue is encountered while navigating to vCenter vSphere Client or VAMI page, please follow Download and install vCenter Server root certificates to avoid web browser certificate warnings
Feedback
Yes
No
Powered by
