vSphere 6.0 中的外部 VMware 解决方案出现 vCenter Server 或 Platform Services Controller 证书验证错误
search cancel

vSphere 6.0 中的外部 VMware 解决方案出现 vCenter Server 或 Platform Services Controller 证书验证错误

book

Article ID: 344101

calendar_today

Updated On:

Products

VMware VMware Live Recovery VMware vCenter Server VMware vSphere ESXi VMware Integrated OpenStack VMware NSX

Issue/Introduction

Symptoms:

免责声明:本文为 vCenter Server or Platform Services Controller certificate validation error for external VMware Solutions in vSphere 6.0 (2109074) 的翻译版本。尽管我们会不断努力为本文提供最佳翻译版本,但本地化的内容可能会过时。有关最新内容,请参见英文版本。

 


 

 
某些解决方案(如 VMware vCenter Site Recovery Manager、VMware vSphere Replication 或 VMware vCenter Support Assistant)可能会安装在 vCenter Server 系统或 Platform Services Controller 以外的其他计算机上。

如果替换了 vCenter Server 或 Platform Services Controller 上的计算机 SSL 证书,则在该解决方案尝试连接到 vCenter Server 或 Platform Services Controller 时会出现连接错误。原因是 vCenter Server 系统和 Platform Services Controller 使用新证书,但 VMware Lookup Service 的相应服务注册未更新。解决方案连接到 vCenter Server 或 Platform Services Controller 时,会查看包括服务 URL 和 sslTrust 字符串在内的服务注册。尽管成功替换了证书,但在默认情况下,sslTrust 字符串仍是 Base 64 编码的旧证书。
 
尝试连接到 vCenter Server 或 Platform Services Controller 时会看到以下错误:
  • vSphere Replication

    Unable to obtain SSL certificate: The vCenter Server vCenter_FQDN is not correctly registered in LookupService

  • vCenter Site Recovery Manager

    SRM server with GUID GUID of vCenter not paired.
    Failed to connect to vCenter Server at vCenter_FQDN:443/sdk. Reason:
    com.vmware.vim.vmomi.core.exception CertificateValidationException: Server certificate chain not verified.

  • VMware NSX for vSphere (NSX-v)

    NSX Management Service operation failed.(Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service, com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified)

  • VMware Integrated OpenStack

    Connection failed!
    Please check whether the server has enabled SSO from management server log at:/installer.log.


    在 VMware Integrated OpenStack installer.log 文件中,您会看到类似以下内容的条目:

    [2015-04-10 14:49:18,848 main ERROR com.vmware.vim.install.impl.AdminServiceAccess] com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    [2015-04-10 14:49:18,849 main DEBUG com.vmware.vim.install.impl.AdminServiceAccess]
    com.vmware.vim.sso.admin.exception.CertificateValidationException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified

  • VMware vCenter Support Assistant

    Something failed. Try Again.
    com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    Server certificate chain not verified
    peer not authenticated


  • VMware 客户体验改善计划

    vSphere Web Client 报告:

    Error occurred while processing request. Check vSphere WebClient logs for details.

    vsphere_client_virgo.log 报告类似以下内容的错误:

    [2015-10-07T13:08:41.001Z] [ERROR] http-bio-9090-exec-3 70000101 100009 200004 com.vmware.vsphere.client.ceip.impl.CeipServiceImpl Error occurred in showNotification. com.vmware.vim.binding.vmodl.fault.SystemError:Internal server error.

    有关日志位置的详细信息,请参见 Location of VMware vCenter Server 6.0 log files (2110014)

    注意:上述日志摘录仅为示例。日期、时间和环境变量可能会因环境而有所不同。
在以下任一情况下都可能出现该问题:
  • 在嵌入式部署上替换计算机 SSL 证书。
  • 在安装过程中将 Platform Services Controller 上的计算机 SSL 证书替换为外部 Platform Services Controller。
  • 在安装过程中将 vCenter Server 系统上的计算机 SSL 证书替换为外部 Platform Services Controller。



Environment

VMware vCenter Support Assistant 6.0.x
VMware NSX for vSphere 6.1.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Site Recovery Manager 6.0.x
VMware Integrated OpenStack 1.0.x
VMware vCenter Server 6.0.x
VMware vSphere Replication 6.0.x

Resolution

此问题在 vCenter Server 6.0 Update 1b
 
注意:
  • 在您替换证书之前,在受影响的系统上安装 vCenter Server 6.0 update 1b 不会解决此问题。
  • 对于使用证书管理器实用程序进行的证书替换,该更新可以解决此问题。对于从 Services Controller UI 进行的证书替换,该更新不会解决此问题。
 
在使用 Platform Services Controller UI 替换证书时,可通过在 Platform Services Controller 上运行 ls_update_certs 脚本来解决此问题。使用外部解决方案时,按以下方式替换证书:
  • 从 vCenter Server 系统或 Platform Services Controller 提取旧证书,以供日后使用。
  • 通过使用证书管理器实用程序或通过运行证书管理 CLI 命令来执行证书替换。
  • 运行 ls_update_certs 脚本,传递旧证书和新证书。



Additional Information