• The purpose of this documentation is to restore access to a VCD environment that has become inaccessible after updating the SSL certificates

• After successfully importing updated HTTPS and ConsoleProxy certificates, the VCD UI is suddenly inaccessible
• The Public Address for VCD returns an "ERR_SSL_PROTOCOL_ERROR" response, similar to the following:

• This issue occurs because some legacy private key formats can successfully import into the VCD appliances, but are otherwise incompatible with establishing an SSL connection

• To resolve, check if your private key files are encrypted. If they are, you should see a banner similar to the following at the beginning of the key contents:

• If the key is encrypted, run the following command to unencrypt the key file:

• Once the key is unencrypted, run the following command to re-format and re-encrypt the key:

• After the key is correctly formatted and encrypted, re-import the .pem and .key files into each of the VCD cells and verify that access to the UI is restored thereafter

• At this time, the workaround is to re-format and re-encrypt the private key files with the following commands:

https://docs.vmware.com/en/VMware-Cloud-Director/10.3/VMware-Cloud-Director-Install-Configure-Upgrade-Guide/GUID-74296A4D-416F-4D7F-BBD6-BA983AAAD4E7.html

Impact/Risks:

• This issue will prevent any access to the VCD UI

To confirm if a cert matches with a key you can either use a validator online or run these commands directly inside the ssh session: (replace the name of the files with the correct ones, including full path)

openssl rsa -modulus -noout -in key.key | openssl md5

openssl x509 -modulus -noout -in FullChain.cer | openssl md5

Both commands should return the same output. If they don't means that the key does not belong to this cert and the error is expected.