Converting vSphere environment to VMware Cloud Foundation fails with error "SDDC_MANAGER_INSTALL_CERT_FAILED Failed to install VMCA Certificate on SDDC Manager"
search cancel

Converting vSphere environment to VMware Cloud Foundation fails with error "SDDC_MANAGER_INSTALL_CERT_FAILED Failed to install VMCA Certificate on SDDC Manager"

book

Article ID: 394428

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

Conversion of vSphere environment fails to complete after running the Brownfield import script and below errors may be seen in /var/log/vmware/vcf/operationsmanager/operationsmanger.log

YYYY-MM-DD:TT:TT.631+0000 DEBUG [vcf_om,00000000000000000,0000] [c.v.v.s.t.DynamicTrustManager,pool-3-thread-12] Error checking certificate chain C=US, CN=example.sddc.local for validity.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)


Output from brownfield script may also show below: 

YYYY-MM-DD:TT:TT:212+0000 ERROR [vcf_dm,0000000000000000,000] [c.v.e.s.o.model.error.ErrorFactory,dm-exec-2]  [XXXXXX] SDDC_MANAGER_INSTALL_CERT_FAILED Failed to install VMCA Certificate on SDDC Manager example.sddc.local
com.vmware.evo.sddc.orchestrator.exceptions.OrchTaskException: Failed to install VMCA Certificate on SDDC Manager example.sddc.local

May also see below errors in /var/log/vmware/vcf/commonsvcs/commonsvcs.log

YYYY-MM-DD:TT:TT.842+0000 ERROR [common,0000000000000000,000] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7100-exec-8] [000000] CERT_REPLACEMENT_FAILED Cannot replace existing certificate with the input cert. Validations did not pass.
Make sure the input cert chain is valid. The structure must be:
server cert followed by intermediate certs followed by CA cert
OR
A self signed server cert
All certs in the chain must conform to X.509 standards.
Also make sure that the DNS name in both the CN field and the optional Subject Alternative Name extension, is a resolvable hostname
com.vmware.evo.sddc.appliance.utilities.error.ApplianceManagerException: Cannot replace existing certificate with the input cert. Validations did not pass.
Make sure the input cert chain is valid. The structure must be:
server cert followed by intermediate certs followed by CA cert
OR
A self signed server cert
All certs in the chain must conform to X.509 standards.
Also make sure that the DNS name in both the CN field and the optional Subject Alternative Name extension, is a resolvable hostname

 

Environment

VMware Cloud Foundation 5.x

Cause

vCenter Server Certificate is not trusted by the SDDC manager and is failing to get installed/accepted during the import process 

Resolution

Please follow the following KB steps to add the vCenter Server Root VMCA certificate to the SDDC manager TrustedStore: How to import the vCenter root certificate into the SDDC manager TrustStore

Once complete, retry the brownfield import on SDDC

Additional Information

Powered by Wolken Software