Web browsers will sometimes accept malformed certificate chains from servers, but Usage Meter 4.2 and 4.3 require certificate chains to be in the correct order. If a customer installs a malformed certificate chain (with certificates in the wrong order) in a vCenter (or other product) server, they may not even know that anything is wrong until they attempt to meter that product with Usage Meter.

Symptoms:
When the user attempts to add a new product to be metered in Usage Meter 4.2 or 4.3, they see a red banner at the top of the Usage Meter Web UI page with the message "Certificate error for [hostname or IP address]: can not verify certificate chain".

VMware vCloud Usage Meter 4.x

When any new product is added to Usage Meter, the user is asked to view and accept its HTTPS certificate before metering begins. But before the user is asked to accept the certificate, Usage Meter performs basic sanity checks. If the certificate is expired, for example, Usage Meter will not allow the user to add the product.
 
In addition to checking for expiration, Usage Meter also validates the product's certificate chain. It expects that the first certificate in the chain was issued and signed by the entity represented by the second certificate. And the second certificate was issued and signed by the entity represented by the third certifcate, and so on.
 
Servers are sometimes configured with certificate chains where the individual certificates are not in the correct order. Technically the certificate chain is invalid, but web browsers typically will still accept the chain. Usage Meter 4.2 and 4.3 insists on the correct order for the certificates, however, and displays the "can not verify certificate chain" message in this case.

To determine whether your product has this problem you can inspect your certificate chain with a command like the following:
  openssl s_client -connect vmware.com:443

You should replace "vmware.com" with the hostname or IP address of your server, of course.

Part of the output you will see should look something like the below. (This is the output for vmware.com--your output will be different):
  ---
  Certificate chain
0 s:/C=US/ST=California/L=Palo Alto/O=VMware, Inc./OU=IT/CN=*.vmware.com
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
1 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert SHA2 High Assurance Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert High Assurance EV Root CA
  ---

There are three certificates in this chain: 0, 1, and 2. Each one has a subject (the "s:") and an issuer (the "i:"). In a well-formed certificate chain, the s: field of all certificates except the first one will be identical to the i: field of the certificate before it. You can see that here: 1s is the same as 0i and 2s is the same as 1i.

The "can not verify certificate chain" error that Usage Meter is displaying suggests that the output for your server will display certificates that are out of order. Another possible (but less likely) problem could be that the certificates are in the correct order but that one of them has an invalid digital signature or has expired.

.

Workaround:
You must correct the certificate chain (or have it re-issued) and reinstall it for the product to be metered. Instructions for doing this are beyond the scope of this KB article.
 
Note: The Usage Meter does not require products to have a trusted certificate chain: it can meter products that have a self-signed certificate. So another workaround is to install a self-signed certificate for the product to be metered.