Syncing OVA/OVF to secure subscribed library fails with "Certificate not trusted" error leaving the item security non compliant. Importing OVA/OVF to secure local library is not allowed with error "Certificate not trusted" in the import screen.
Article ID: 340405
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
Subscribed library: Security Compliance column of library item shows "No". Reviewing the certificate and adding it to the trust store does not change the compliance status to "Yes".
Local library: While importing the OVA/OVF package as a library item, an error indicating untrusted certificate appears on the screen. Reviewing the certificate and adding it to the trust store does not fix the untrusted certificate issue.
Errors in cls.log
CertPathBuilderException while validating certificate chain
java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
Environment
VMware vSphere ESXi 7.0.0
VMware vCenter Server 7.0.x
VMware vCenter Server 7.0.x
Cause
The secure content library feature allows only signed OVF/OVA packages in the secure content library. This feature checks if the signing certificate is valid and also trusted by the vCenter/content library.
A certificate chain, also known as the 'chain of trust' consists of a list of certificates. The list starts from the leaf certificate (OVF signing certificate) and ends with the root certificate. To trust the leaf certificate, its signature must be traceable to the root. Otherwise, it is considered to be a broken chain of certificates.
After reviewing and adding the signing certificate to the trust store, the validation may fail if the entire chain of certificates is not present in the OVF package. This is due to the broken chain of certificates.
A certificate chain, also known as the 'chain of trust' consists of a list of certificates. The list starts from the leaf certificate (OVF signing certificate) and ends with the root certificate. To trust the leaf certificate, its signature must be traceable to the root. Otherwise, it is considered to be a broken chain of certificates.
After reviewing and adding the signing certificate to the trust store, the validation may fail if the entire chain of certificates is not present in the OVF package. This is due to the broken chain of certificates.
Resolution
Step 1 :
To resolve this issue, the user needs to get the signing certificate chain. A chain may include a root certificate and intermediate certificate(s). There are several ways to get the certificate chain. One of them is to use a certificate chain resolver.
Step 2:
After getting the root/intermediate certificate chain, the user needs to add them to content library/VECS trust store by using any of the following 2 methods.
1. Add the certificate(s) to content library trust store:
API has been provided to add the certificate to content library trust store. User running this API requires ContentLibrary.AddCertToTrustStore privilege.
Here is a sample curl command which adds the certificate to trust store.
url='https://VC_IP'
username='USERNAME'
password='PASSWORD'
##### Authenticate
session_id=`curl -X POST -k -H 'Content-Type: application/json' -u "$username:$password" "$url/rest/com/vmware/cis/session" | jq -r .value`
##### Add Certificate
curl -X POST -k \
-H 'Accept: application/json' -H "Content-Type: application/json" -H "vmware-api-session-id: $session_id" \
"$url/api/content/trusted-certificates" \
-d '{
"cert_text": "CERTIFICATE_IN_PEM_FORMAT"
}' | jq -r "."
2. Add the certificate(s) to VECS store:
Product versions: vCenter 7.0U3 and above
To resolve this issue, the user needs to get the signing certificate chain. A chain may include a root certificate and intermediate certificate(s). There are several ways to get the certificate chain. One of them is to use a certificate chain resolver.
Step 2:
After getting the root/intermediate certificate chain, the user needs to add them to content library/VECS trust store by using any of the following 2 methods.
1. Add the certificate(s) to content library trust store:
API has been provided to add the certificate to content library trust store. User running this API requires ContentLibrary.AddCertToTrustStore privilege.
Here is a sample curl command which adds the certificate to trust store.
url='https://VC_IP'
username='USERNAME'
password='PASSWORD'
##### Authenticate
session_id=`curl -X POST -k -H 'Content-Type: application/json' -u "$username:$password" "$url/rest/com/vmware/cis/session" | jq -r .value`
##### Add Certificate
curl -X POST -k \
-H 'Accept: application/json' -H "Content-Type: application/json" -H "vmware-api-session-id: $session_id" \
"$url/api/content/trusted-certificates" \
-d '{
"cert_text": "CERTIFICATE_IN_PEM_FORMAT"
}' | jq -r "."
2. Add the certificate(s) to VECS store:
- Log in with the vSphere Client to the vCenter Server.
- Specify the user name and password for [email protected] or another member of the vCenter Single Sign-On Administrators group.
- If you specified a different domain during installation, log in as administrator@ mydomain.
- Navigate to the Certificate Management UI.
- From the Home menu, select Administration.
- Under Certificates, click Certificate Management.
- Click "ADD" next to Trusted Root Certificates
- Browse and select the certificate(s) found in Step1
Product versions: vCenter 7.0U3 and above
Feedback
Yes
No
Powered by
