Renew expiring/expired LDAPS certificate for vCenter SSO Identity Provider
search cancel

Renew expiring/expired LDAPS certificate for vCenter SSO Identity Provider

book

Article ID: 371578

calendar_today

Updated On:

Products

VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

vCenter triggered an alarm regarding LDAPS certificate expiry, or LDAPS user authentication stops working due to the LDAPS certificate expired: "Identity Source LDAP Certificate is about to expire"

The /var/log/vmware/sso/ssoAdminServer.log will report the following warnings and error traces.

YYYY-MM-DD HH:MM:SS WARN ssoAdminServer [548 : pool-2-thread-8] [OpId=mlhyq0ts-231965-auto-4yzk-h5: 70036502] [com.vmware
[ldaps: //<<server_name>>: 636, CN=vcloudadmin, CN=User cannot bind connection:

YYYY-MM-DD HH:MM:SS ERROR ssoAdminServer [548 : pool-2-thread-8] [OpId=mlhyq0ts-231965-auto-4yzk-h5 : 70036502] [com.vmware. identity.idm.server. ServerUtils] cannot establish ldap connection with URI: [ldaps://<<server_name>> : 636]

because [com. vmware.identity. interop. ldap. ServerDownLdapException] with reason [Can't contact LDAP server] therefore will try to attempt to use secondary URIs, if applicable

YYYY-MM-DD HH:MM:SS ERROR ssoAdminServer [548 : pool-2-thread-8] [OpId=mlhyq0ts-231965-auto-4yzk-h5: 70036502] [com.vmware.identity.idm.server. rovider. BaseLdapProvider] com. vmware. identity. interop. ldap. ServerDownLdapException: Can't contact
[code: -1]

YYYY-MM-DD HH:MM:SS ERROR ssoAdminServer [548 : pool-2-thread-8] [OpId=mlhyq0ts-231965-auto-4yzk-h5 : 70036502] [com.vmware.identity.idm.server. IdentityManager] Failed to find person users [Criteria : searchString=, domain=######] in tenant [vsphere. local]

YYYY-MM-DD HH:MM:SS ERROR ssoAdminServer [548 : pool-2-thread-8] [OpId=mlhyq0ts-231965-auto-4yzk-h5: 70036502] [com.vmware.identity.idm.server. ServerUtils] Exception 'com. vmware. identity. interop. ldap. ServerDownLdapException: Can't contact LDAP server\nLDAP
com. vmware. identity. interop. ldap. ServerDownLdapException: Can't contact LDAP server

Cause

LDAPS Identity Provider SSO authentication relies on the LDAPS service machine certificate to be valid for authentication to succeed. If the LDAPS certificate expires, authentication via this Identity Provider will fail.

Resolution

  1. Verify the validity of the certificate using either of the following commands:
    • /opt/vmware/bin/sso-config.sh -get_identity_sources
    • openssl s_client -connect domain_controller.example.com:636 -showcerts
  2. Renew the certificates on the Domain controller.
  3. Remove the existing LDAPS IdP configuration and re-create it using the new LDAPS machine certificate chain:
    1. Take a snapshot of the VCSA VM before making any changes.
    2. Take note of the current LDAPS configuration, as the details are needed to re-create the LDAPS configuration.
    3. Remove the existing LDAPS configuration and re-create it using the new LDAPS machine certificate. Configuring a vCenter Single Sign-On Identity Source using LDAP with SSL (LDAPS).
      • NOTE: Make sure the certificate file being used is a valid ".cer" or ".crt". File format ".p7b" is not valid for this use.

Additional Information

Use proper certificate files for VC LDAPS IdP configuration:

  1. If working with only the ".p7b" file, import the cert to the "Personal" cert folder of the client machine being used (if Windows use Certificate Manager for local machine).
  2. Export the cert as Base64. This should create a cert in ".cer" format. Notepad can be used to view this cert in clear text. When the cer file is double-clicked, it should open successfully in Windows Certificate Manager.
  3. Once the cert is exported, delete the cert from "Personal" folder that was imported from the ".p7b" file.

Fails to save LDAPS configuration if trying to edit the existing configuration:

  • The configuration needs to be removed and re-created to update the LDAPS certificate.
Powered by Wolken Software