"Could not connect to one or more vCenter Server systems: https://vCenter_FQDN:443/sdk" error in vSphere Client when vCenters are in Enhanced linked mode.
search cancel

"Could not connect to one or more vCenter Server systems: https://vCenter_FQDN:443/sdk" error in vSphere Client when vCenters are in Enhanced linked mode.

book

Article ID: 403115

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • vCenter UI displays a banner with an error message "Could not connect to one or more vCenter Server systems: https://vCenter_FQDN:443/sdk"

  • The vCenter inventory does not display all of the linked vCenter nodes.

  • vmdird state is normal on all the vCenter nodes as verified by the following command: /usr/lib/vmware-vmafd/bin/dir-cli state get

  • Verified the partner status of the vCenters in linked mode is working as expected with the following command:

    • /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showservers -h localhost -u administrator

    • /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartners -h localhost -u administrator

    • /usr/lib/vmware-vmdir/bin/vdcrepadmin -f showpartnerstatus -h localhost -u administrator

  • Every vCenter node has a distinct STS certificate when verified from the vCenter UI: From the Home Menu, select Administration > Certificate Management > View STS Certificate Details

  • Below error is observed in /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log:

    [YYYY-MM-DDTHH:MM:SS] [INFO ] http-nio-5090-exec-2  r0000003 ###### ###### com.vmware.identity.token.impl.X509TrustChainKeySelector Failed to find trusted path to signing certificate <CN=STS,OU=VMware Engineering,O=VMware,L=Palo Alto,ST=California,C=US> sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

     

Environment

  • VMware vCenter Server 7.0

  • VMware vCenter Server 8.0

Cause

  • The issue arises if any node in the linked vCenter environment utilizes different STS certificate.

  • Linked vCenter nodes in same SSO domain shares the STS certificate. Hence services on each vCenter node needs to be restarted after replacing the STS certificate on one of them.

Resolution

NOTE: Before proceeding with the steps below, take a snapshot of the vCenter Server Appliance. If the vCenter is part of Enhanced Linked Mode (ELM) setup, take offline (powered off) snapshot of all replicating vCenter ELM nodes: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

  • Using the vCert script, replace the STS certificate on one of the vCenter node by selecting the below options:   vCert - Scripted vCenter Expired Certificate Replacement 

    • Option 3 (Manage vCenter Certificates) > Option 8 ( STS signing certificates)

  • Re-start services on all the vCenter nodes :  service-control --stop --all && service-control --start --all 

Powered by Wolken Software