Failing to restart services when trying to re-apply custom certificate

search cancel

Failing to restart services when trying to re-apply custom certificate - vpxd failed

book

Article ID: 395767

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

When applying custom certificate for machine_ssl_cert vpxd fails to start with the following logged in /var/log/vmware/vpxd/vpxd.log:

YYYY-MM-DDTHH:MM:SS.036Z error vpxd[00723] [Originator@6876 sub=ServerAccess] Remote login failed: N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
--> PeerThumbprint: 11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD:EE:FF:12:34:56:78
--> ExpectedThumbprint:
--> ExpectedPeerName: localhost
--> The remote host certificate has these problems:
-->
--> * Host name does not match the subject name(s) in certificate.)
--> [context]zKq7AVECAQAAAOIfcwEOdnB4ZAAAAto3bGlidm1hY29yZS5zbwAAmXksABdtLQAf6jIAlcUrAFAYLACUyCsAoNErAEmoIwDnSSMAdZ8jAMBlNwGHfwBsaWJwdGhyZWFkLnNvLjAAAr82D2xpYmMuc28uNgA=[/context]
YYYY-MM-DDTHH:MM:SS.036Z error vpxd[01380] [Originator@6876 sub=IO.Http] User agent failed to send request; (null), N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
--> PeerThumbprint: 11:22:33:44:55:66:77:88:99:00:AA:BB:CC:DD:EE:FF:12:34:56:78
--> ExpectedThumbprint:
--> ExpectedPeerName: localhost
--> The remote host certificate has these problems:
-->
--> * Host name does not match the subject name(s) in certificate.)

Custom certificate contains hostname of vCenter matching the output of below command:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

Environment

vCenter Server 8.0

Cause

Expired intermediary certificate signing the custom certificate present in trusted_roots as seen with command:

/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store trusted_roots --text

To confirm what certificate is signing the custom certificate:

Take note of the Subject Authority Key value on the custom certificate
Run /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store trusted_roots --text on the vCenter Server
Search for the Subject Authority Key noted from Step 1 and compare to the Subject Key Identifiers in the output of Step 2 - the certificate that matches is the one signing the custom certificate

Resolution

Remove expired intermediary certificate using KB 326288 or use method below:

Run /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store trusted_roots --text and take note of the Alias of the expired intermediary certificate
Export a copy of the certificate using:

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store trusted_roots --alias <ALIAS_OF_CERT> --output /root/oldroot.crt

Unpublish the certificate using below command:

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /root/oldroot.crt

Refresh VECS:

/usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

Apply the custom certificate once more

Additional Information

Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate

Feedback

thumb_up Yes

thumb_down No