Resolving SSL Trust Mismatch Errors in VCSA Due to Expired Certificates and Misconfigured Chain Elements
search cancel

Resolving SSL Trust Mismatch Errors in VCSA Due to Expired Certificates and Misconfigured Chain Elements

book

Article ID: 382052

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Customers may encounter SSL Trust Mismatch errors when attempting to connect to ADFS LDAPS from their Virtual Center Server Appliance (VCSA). This issue is often due to an expired certificate or a mismatched trust anchor on the VCSA system.

They may observe the following error when attempting to update the certificate via CLI manually:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /fix/ssoamica.crt --chain

The command fails with an invalid parameter Error:

dir-cli failed. Error 87: Operation failed with error ERROR_INVALID_PARAMETER (87)

You may also observe the following error (despite the certificate being valid) when attempting to renew the ADFS cert via the UI in the Certificate Management > "Trusted Root Certificate" section:

"Error occurred while adding trusted root certificates: com.vmware.vapi.std.errors. Error, create trusted root chain failed: Certificate bearing subject... is not a valid CA certificate. Please retry with a valid certificate chain"

 

Environment

VMware vSphere 7.x

VMware vSphere 8.x

Cause

The root cause of SSL Trust Mismatch errors is typically either an expired certificate or incorrectly configured chain elements. When these issues are present, attempts to add new root certificates via the UI will not resolve the problem because the underlying certificate chain remains incomplete or incorrect.

It may be due to an SSL Trust Anchor Mismatch as well (you may observe a similar error when using vCert).

Check ADFS LDAPS certificates
-----------------------------------------------------------------
Certificate 1                                             EXPIRED
Certificate 2                                               VALID

Checking SSL Trust Anchors
-----------------------------------------------------------------
<VCSA FQDN>                                       MISMATCH
<VCSA FQDN>                                          VALID

Resolution

To resolve SSL Trust Mismatch errors caused by expired certificates and misconfigured trust anchors:

 
  1. Download Certificates : Manually download each certificate in the trusted CA chain as a Base64 .crt file.
  2. Publish Certificates on VCSA : Use the following commands to publish the certificates:
    1. /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file1.crt --chain
      /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file2.crt --chain
      /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file3.crt --chain
  3. Force Refresh : After publishing the certificates, force a refresh to ensure the system recognizes the new trusted certificates:
    1. /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

Additional Information

  • Ensure that each certificate is downloaded in the correct order and contains all necessary intermediate certificates.
  • Verify that the chain elements are correctly installed by listing the entries under the trusted roots store:
    • /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store trusted_roots --text