Resolving SSL Trust Mismatch Errors in VCSA Due to Expired Certificates and Misconfigured Chain Elements
search cancel

Resolving SSL Trust Mismatch Errors in VCSA Due to Expired Certificates and Misconfigured Chain Elements

book

Article ID: 382052

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Customers may encounter SSL Trust Mismatch errors when attempting to connect to ADFS LDAPS from their Virtual Center Server Appliance (VCSA). This issue is often due to an expired certificate or a mismatched trust anchor on the VCSA system.
  • They may observe the following error when attempting to update the certificate via CLI manually: 

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /fix/ssoamica.crt --chain

  • The command fails with an invalid parameter Error:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /fix/ssoamica.crt --chain

  • You may also observe the following error (despite the certificate being valid) when attempting to renew the ADFS cert via the UI in the Certificate Management > "Trusted Root Certificate" section:

Error occurred while adding trusted root certificates: com.vmware.vapi.std.errors. Error, create trusted root chain failed: Certificate bearing subject... is not a valid CA certificate. Please retry with a valid certificate chain

  • We may observe a similar error when using vCert

Check ADFS LDAPS certificates
-----------------------------------------------------------------
Certificate 1                                             EXPIRED
Certificate 2                                               VALID

Checking SSL Trust Anchors
-----------------------------------------------------------------
<VCSA FQDN>                                       MISMATCH
<VCSA FQDN>                                          VALID

Environment

vCenter 7.x
vCenter 8.x

Cause

SSL Trust Mismatch or Anchor Mismatch errors typically stem from expired certificates or broken chains, which cannot be resolved through the UI as the underlying certificate structure remains invalid.

Resolution

To resolve SSL Trust Mismatch errors caused by expired certificates and misconfigured trust anchors:

      Download Certificates : Manually download each certificate in the trusted CA chain as a Base64 .crt file.

  1. Publish Certificates on VCSA : Use the following commands to publish the certificates:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file1.crt --chain
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file2.crt --chain
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /path/to/file3.crt --chain

     2. Force Refresh : After publishing the certificates, force a refresh to ensure the system recognizes the new trusted certificates:

/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

Additional Information

  • Ensure that each certificate is downloaded in the correct order and contains all necessary intermediate certificates.
  • Verify that the chain elements are correctly installed by listing the entries under the trusted roots store:

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store trusted_roots --text

Powered by Wolken Software