vSAN -- vSAN Data Protection Appliance - Errors: ""tls: failed to verify certificate: x509: certificate signed by unknown"
search cancel

vSAN -- vSAN Data Protection Appliance - Errors: ""tls: failed to verify certificate: x509: certificate signed by unknown"

book

Article ID: 399367

calendar_today

Updated On:

Products

VMware vSAN VMware vSAN 8.x

Issue/Introduction

The vSAN Snapshot Appliance is not available after a vCenter Certificate renewal amd/or vCenter reboot.
Following the resolution steps outlined in KB 397738 along with rebooting the vSAN Data Protection Appliance does not fix the issue.

 

On the vSAN Data Protection Appliance (via SSH/Putty) one or more of the following Symptoms do apply:

  • The vSAN Snapshot Service (snapservice) appliance’s Docker container repeatedly fails to initialize and is caught in a restart loop: When running the command docker ps it shows the snapservice container in a continuous “restarting” state.
  • /var/log/vmware/snapservice/snap-service-panic.log shows the error: "panic: Failed to initialize VC Client"
  • /var/log/vmware/snapservice/snap-service.log shows: "failed to verify certificate: x509: certificate signed by unknown authority"
 

 

In addition you might observe the following error message on the vSAN Data Protection dashboard: 

<html> <head><title>502 Bad Gateway</title></head> <body> <center><h1>502 Bad Gateway</h1></center> <hr><center>nginx/1.25.2</center> </body> </html> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page --> <!-- a padding to disable MSIE and Chrome friendly error page -->

 

Environment

vSAN 8.x

Cause

Issue with stored vCenter Certificate (e.g. missing, invalid etc).
 
The snapservice container does not trust the vCenter Server’s SSL certificate chain because the necessary root and intermediate CA certificates might be missing from its internal trusted store.
When the container tries to establish an HTTPS connection to vCenter, it cannot validate the server’s certificate chain.
The resulting TLS failure causes the service process to exit, which in turn triggers the Docker restart policy.

Resolution

  1. Download the vCenter certificate bundle: 
    curl -k -O https://<vCenter_FQDN>/certs/download.zip
unzip download.zip certs/lin/*.0
  2. Copy all .0 files from the certs/lin folder into the snapservice trust directory:
    cp certs/lin/*.0 /etc/ssl/certs/snapservice/
  3. Update ownership to snapservice for these files
    chown snapservice:snapservice
  4. Snapshot Container will pick up the certs on the next automatic restart.

  5. Verify the container status.
    docker ps
     

Additional Information

Search cancel Search vSAN Data Protection 'Protection Groups' vanish after vCenter Certificates are replaced

 

Powered by Wolken Software