VIC VCH no longer trusts registry SSL certificate
search cancel

VIC VCH no longer trusts registry SSL certificate


Article ID: 340348


Updated On:


VMware vSphere ESXi


When attempting to pull images from VIC Appliance registry, the TLS is not trusted.


VMware vSphere Integrated Containers 1.0.x


The harbor service may regenerate the certificate used which will cause the connection to not be trusted. To prevent this, the root signing certificate should be the certificate to trust in the VCH creation.


When creating the VCH, use the root signing certificate in the --registry-ca option. Since the signing certificate does not change when the registry regenerates certificates, the trust will not be broken.
or more information, see

To download the signing root certificate, log in to the VIC Appliance registry GUI as admin and click the admin username on the top right of the page and select download root certificate.

If the VCH is already deployed the trusted registry, certificate can be updated by the following step.

  1. Upgrade the VCH 1.1.1 to 1.2 or later version. For more information, see Upgrade Virtual Container Hosts.
  2. Run the vic-machine configure command to reconfigure the VCH by adding the needed registry certificate. For more information, see Add or Update Registry Server Certificates-