Registering NSX Manager to Lookup Service with External Platform Service Controller (PSC) fails with the error: server certificate chain not verified
search cancel

Registering NSX Manager to Lookup Service with External Platform Service Controller (PSC) fails with the error: server certificate chain not verified

book

Article ID: 343419

calendar_today

Updated On:

Products

VMware NSX Networking VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • In VMware NSX for vSphere 6.x, registering NSX Manager to the Lookup Service with External Platform Service Controller (PSC) fails.
  • You see the error:

    NSX Management Service operation failed (Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service.com.vmware.vim.vmoid.core.exception.CertificateValidationException. Server certificate chain not verified).

    For example:



Environment

VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.1.x
VMware vSphere 6.x

Resolution

This issue is resolved in VMware vSphere 6.0 U1b and later versions, available at VMware downloads.

To work around this issue, update the new certificate with the old fingerprint of the Security Token Services (STS).

Note: This procedure only works in case of single site PSC with single site SSO domain.

To retrieve the old certificate from the Managed object Browser (MOB)

  1. Obtain the old fingerprint of the STS certificate on the Platform Services Controller (PSC) Windows machine from the Managed Object Browser (MOB).
  2. To open the MOB, go to https://vCenter_IP/lookupservice/mob?moid=ServiceRegistration&method=List in a browser.
  3. Log in to the browser using the administrator account of the PSC or [email protected].
  4. In the filterCriteria text field, modify the value field to have only the tags <filterCriteria></filterCriteria> and click Invoke Method. This displays the ArrayOfLookupServiceRegistrationInfo objects.

  5. Search for sts/STS on the page. Find the value of the corresponding sslTrust field. The content of that field is the Base64 encoded string of the old certificate.


     
  6. Copy and paste the string in the ArrayofString field in the row of the sslTrust name (next to the ArrayOfString type), and save the string as a file named sts.cer.
  7. Import the sts.cer file using a certificate manager tool such as certmgr.msc. Extract the thumbprint, remove all of the spaces, any leading "?" and save as a text file named old.fprint.txt.

    After removal, there will be string such as f4bf76aeefaaf3f09009cda4a2b624202bd49724 which is used later in a command line.

To retrieve the new certificate on a Platform Services Controller

Using External Platform Services Controller (PSC) on Windows:

  1. Remote desktop connection to the Windows External Platform Services Controller.
  2. Log in to an administrative command prompt.
  3. Run this command to view the new certificate:

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry list --store MACHINE_SSL_CERT --text |more
     
  4. Create a temporary folder on the c:\ drive. For example: c:\certificates.
  5. Run this command to export the new certificate to a file:

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output c:\certificates\new_sts.crt

Using External Platform Services Controller (PSC) appliance:

  1. Log in as root to the External Platform Services Controller (PSC) appliance.
  2. Create a temporary directory in /. For example: / certs.
  3. Run this command to view the new certificate:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /certs/new_sts.crt

To run the ls_update_cert on an External Platform Services Controller

Using External Platform Services Controller (PSC) on Windows:

  1. Remote desktop connection to the Windows External Platform Services Controller.
  2. Open an administrative command prompt.
  3. Change directories to C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\ by running this command:

    cd C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\
     
  4. Run this command (replace the username/password with your administrator/password).

    "%VMWARE_PYTHON_BIN%" ls_update_certs.py --url https://psc.domain.com/lookupservice/sdk --fingerprint --certfile --user Username --password Password

    When completed, you will see Updated 7 service(s)message.
  5. Re-register the NSX Manager with the PSC Lookup services.

Using External Platform Services Controller (PSC) appliance:

  1. Log in as root to the External Platform Services Controller (PSC) appliance.
  2. Change directories to:

    /usr/lib/vmidentity/tools/scripts/
     
  3. Run this command, replacing the username/password with your administrator/password and "Updated 9 service(s)" for appliance platform.

    python /usr/lib/vmidentity/tools/scripts/ls_update_certs.py --url https://psc.domain.com/lookupservice/sdk --fingerprint --certfile --user Username --password Password
     
  4. When complete, you will see Updated 9 service(s)message.
  5. Re-register the NSX Manager with the PSC lookup services.


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box.
外部 Platform Service Controller (PSC) を使用して Lookup Service に NSX Manager を登録すると、次のエラーで失敗する:サーバ証明書チェーンが検証されていません(server certificate chain not verified)
将 NSX Manager 注册到外部 Platform Service Controller (PSC) 的 Lookup Service 失败并出现以下错误:服务器证书链未验证 (server certificate chain not verified)