After upgrade to vCenter Server 5.5 Update 1, the vSphere Web Client and other plug-ins no longer function
search cancel

After upgrade to vCenter Server 5.5 Update 1, the vSphere Web Client and other plug-ins no longer function

book

Article ID: 335931

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides insights on regenerating a 1024-Bit key length SSL certificate to address the issues seen after upgrading to vCenter Server 5.5 Update 1.

Symptoms:
Note: If you are experiencing an error with certificate unknown on Horizon see SSL certificate "Unknown" for View Composer Server on Horizon Administrator health dashboard.

During the upgrade to vCenter Server 5.5 Update 1, you see a message similar to:

The vCenter certificates are weak and no longer supported with vCenter Server 5.5 Update 1 onward.

After the upgrade to vCenter Server 5.5 Update 1, you experience these symptoms:
  • Logging in to the vCenter Server using the vSphere Web Client displays an error similar to:

    Failed to verify the SSL certificate for one or more vCenter Server systems:https://VC_HOSTNAME:443/sdk
     
  • The Performance Charts tab fails and displays an error similar to:

    Perf Charts service experienced an internal error.
     
  • The Host Hardware Status tab for the ESXi host fails and displays an error similar to:

    Cannot access the hardware monitoring service.
     
  • The Storage Views tab fails and displays an error similar to:

    The server 'VC_HOSTNAME' could not interpret the client's request. (The remote server returned an error: (503) Server Unavailable.)
     
  • In the C:\ProgramData\VMware\Infrastructure\Inventory Service\Logs\ds.log file, you see entries similar to:

    <time></time>,755 pool-19-thread-2 ERROR com.vmware.vim.dataservices.provider.VcProvider] Cannot login: com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    <time></time>,755 pool-19-thread-2 INFO com.vmware.vim.query.server.provider.impl.ProviderManagerServiceImpl] Cannot connect to provider: com.vmware.vim.query.server.store.exception.UnauthorizedException: not connected

     
  • In the C:\ProgramData\VMware\VMware VirtualCenter\Logs\vws.log file, you seen entries similar to:

    <time></time>,927 localhost-startStop-1 INFO com.vmware.vim.vimclient.VimClientFactory] VMODL context has been initialized for CMS
    <time></time>,191 localhost-startStop-1 ERROR com.vmware.vim.vimclient.VimClientFactory] Failed VC client creation with exception
    com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified

     
  • In the C:\ProgramData\VMware\VMware VirtualCenter\Logs\vpxd.log file, you see entries similar to:

    <time></time>.084Z [04712 warning 'ProxySvc'] SSL Handshake failed for stream <io_obj p:0x00000000095fdd88, h:2540, <TCP 'xxx.xxx.xxx.xxx:xxx>, <TCP xxx.xxx.xxx.xxx:xxxx>>, error: class Vmacore::Ssl::SSLException(SSL Exception: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown)
     
  • In the stats.log file, you see entries similar to:

    tomcat-http--17 WARN org.apache.struts.util.PropertyMessageResources] Resource com/vmware/vim/stats/webui/ApplicationResources_en_US.properties Not Found.
    tomcat-http--33 INFO com.vmware.vim.stats.webui.filter.ClientTimezoneFilter] Forward to 'timezone.jsp' to get user time zone via JavaScript.
    tomcat-http--34 ERROR com.vmware.vim.stats.webui.filter.ViClientRequestActionSecurity] An error has occurred during security checks. Details: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
    com.vmware.vim.stats.webui.SessionException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
    at com.vmware.vim.stats.webui.form.SessionContextImpl.<init>(Unknown Source)
    at com.vmware.vim.stats.webui.startup.StatsReportInitializer.createSessionContext(Unknown Source)


    Note: The default location of the stats.log file is:

    Windows 2000 and 2003: C:\%ALLUSERSPROFILE%\Application Data\VMware\VMware VirtualCenter\Logs\
    Windows 2008 and 2012: C:\%ALLUSERSPROFILE%\VMware\VMware VirtualCenter\Logs\


Environment

VMware vCenter Server 5.5.x

Cause

This issue occurs because the vCenter Server SSL certificate has a key length of less than 1024-Bit. vCenter Server 5.5 Update 1 has updated the Java Runtime Environment (JRE) to version 7.0.450.18 which no longer supports a key length of less than 1024-Bit.

Resolution

This issue is resolved in VMware vCenter Server 5.5 Update 2, available at VMware Downloads.

Note: This issue is resolved in this release by providing a check for the certificate key length and an appropriate warning message to guide you.

Workaround:
To work around this issue if you do not want to upgrade, regenerate the vCenter Server SSL certificate to support the 1024-Bit key length requirement:

Caution:
  • Replacing the vCenter Server certificate may result in ESXi hosts being disconnected from the vCenter Server. A manual reconnection of the ESXi hosts may be required.
  • Other plug-in components such as Update Manager, Site Recovery Manager, vCloud Director, Horizon View, etc. may need to be re-registered with vCenter Server.

Process to Regenerate the vCenter Server SSL Certificate:

  1. Copy this text and save it as openssl_config.cfg:

    [ req ]
    default_bits = 2048
    default_keyfile = rui.key
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req

    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = DNS: vc55-1, IP:10.0.0.10, DNS:vc51-1.vmware.com

    [ req_distinguished_name ]
    countryName = US
    stateOrProvinceName = NY
    localityName = New York
    0.organizationName = VMWare
    organizationalUnitName = vCenterUniqueServer
    commonName = vc55-1.vmware.com


    Note: Edit the file to match your environment.
     
  2. Save the openssl_config.cfg file to C:\Program Files\VMware\Infrastructure\Inventory Service\bin.
     
  3. Open a Windows command prompt as Administrator and change the directory to:

    C:\Program Files\VMware\Infrastructure\Inventory Service\bin
     
  4. Regenerate a self-signed certificate and key file using this command:

    openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout rui.key -out rui.crt -config openssl_config.cfg -extensions v3_req
     
  5. Create the vCenter Server PFX file using this command:

    openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

    Note: Do not replace rui or testpassword with any other values.
     
  6. When the rui.crt, rui.key and rui.pfx files are regenerated, replace the vCenter Server SSL certificate. For more information, see For more information, see Configuring CA signed certificates for vCenter Server 5.5 (2061973) .
  7. Verify the key length of the vCenter Server certificate:

    a.    Open the rui.crt file located at C:\ProgramData\VMware\VMware VirtualCenter\SSL.
    b.    Click the Details tab and scroll to the Public Key field.
    c.    Verify the value.