Unable to download vCenter TRUSTED ROOTS CA certificate from vSphere UI client.

Products

VMware vSphere ESXi

Issue/Introduction

While downloading the Trusted root certificate from vCenter, we are getting below error message. (from verbose logs of /var/log/vmware/vpxd/vpxd.log)
- YYYY-MM-DDTHH:MM:SS.087Z verbose vpxd[07542] [Originator@6876 sub=vpxUtil] Creating certificate zip 203, basename=certs at /etc/vmware-vpx/docRoot from files at /etc/vmware-vpx/docRoot/certs fileMode = w
  YYYY-MM-DDTHH:MM:SS:02.197Z error vpxd[07542] [Originator@6876 sub=vpxUtil] /usr/bin/python failed with error [1] and output [Traceback (most recent call last):
  --> File "/usr/lib/vmware-vpx/py/createcertificatezip.py", line 56, in <module>
  --> zipfile.ZIP_DEFLATED)
  --> File "/usr/lib/python3.7/zipfile.py", line 1746, in write
  --> with open(filename, "rb") as src, self.open(zinfo, 'w') as dest:
  --> File "/usr/lib/python3.7/zipfile.py", line 1473, in open
  --> return self._open_to_write(zinfo, force_zip64=force_zip64)
  --> File "/usr/lib/python3.7/zipfile.py", line 1586, in _open_to_write
  --> self.fp.write(zinfo.FileHeader(zip64))
  --> File "/usr/lib/python3.7/zipfile.py", line 447, in FileHeader
  --> len(filename), len(extra))
  --> struct.error: ushort format requires 0 <= number <= (0x7fff * 2 + 1)
  --> ]
  YYYY-MM-DDTHH:MM:SS.197Z error vpxd[07542] [Originator@6876 sub=vpxUtil] error executing create certificate zip script /usr/lib/vmware-vpx/py/createcertificatezip.py
  YYYY-MM-DDTHH:MM:SS.198Z error vpxd[07542] [Originator@6876 sub=certRequestHandler] [void Vpxd::CertRequestHandler::HandleRequest(Vmacore::Http::Request*, Vmacore::Http::Response*)] Unable to generate cert zip /etc/vmware-vpx/docRoot/203.Sent NotFound response for certs download request /certs/download.zip.

Also, When we try to download the certificate from command line using below command, It fails with same error message.

python /usr/lib/vmware-vpx/py/createcertificatezip.py -s /etc/vmware-vpx/docRoot/certs/ -d /var/core -b /certs -f certs.zip -m w

Environment

VMWare vCenter Server 7.X
VMWare vCenter Server 8.X

Cause

The certificates of the vCenter are getting exported to a file "certs" in below path.
- ```
/etc/vmware-vpx/docRoot/certs
```
Check the last modified file under the same location.
- root@vCenter [ /etc/vmware-vpx/docRoot/certs ]# ls -ltrh
  total 24K
  -rw-r--r-- 1 root root 1.5K Sep 17 2024 7acec312.0
  -rw-r--r-- 1 root root 795 Apr 14 18:42 7acec312.r0
  -rw-r--r-- 1 root root 1.4K Apr 17 19:02 98fc963c.1
  -rw-r--r-- 1 root root 722 May 2 16:11 98fc963c.r2
  -rw-r--r-- 1 root root 722 May 14 13:23 98fc963c.r0
  -rw-r--r-- 1 root root 799 Sep 30 2141 7acec312.r1
If we verify the last updated file, it is from year 2141, which is way ahead of the current vCenter time.
Hence, while exporting certificate it is unable to enumerate this certificate and it fails.

Resolution

Remove the unwanted certificates from vCenter TRUSTED ROOTS store.
- Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)
To update the last modified date on the file, use the following command.
- ```
find /etc/vmware-vpx/docRoot/ -exec touch -acmh etc/vmware-vpx/docRoot/ {} \;
```

Additional Information

How to download Trusted root CA certificates from vCenter.

Download and install vCenter Server root certificates to avoid web browser certificate warnings