Failed to fetch certificate details for host after successful certificate replacement in the SDDC manager UI
search cancel

Failed to fetch certificate details for host after successful certificate replacement in the SDDC manager UI

book

Article ID: 409976

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

After successfully replacing the certificates manually in the SDDC Manager web UI, SDDC fails to fetch the certificates details; the certificate options are greyed out, you cannot select the check box for the resource type in question, and there will be no option to generate certificates via the GUI.

Environment

VMware SDDC Manager 5.2.1

Cause

The issued certificate is missing the 'Server Authentication' Extended Key Usage attribute.

Similar entries of the below error found in /var/log/vmware/vcf/operationsmanager/operationsmanager.log


2025-08-27T03:52:28.003+0000 DEBUG [vcf_om,0000000000000000,0000] [c.v.v.s.t.DynamicTrustManager,reactor-http-nio-4] Error checking certificate chain CN=sddc-manager.domain.local, OU=VMware, O=VMware, L=Location, ST=ST, C=US,CN=INTERMEDIATE-CA, DC=domain, DC=local, CN=Root CA, O=VMware, DC=domain, DC=local for validity.
java.security.cert.CertificateException: Unable to construct a valid chain
        at org.bouncycastle.jsse.provider.ProvX509TrustManager.validateChain(ProvX509TrustManager.java:322)
        at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkTrusted(ProvX509TrustManager.java:273)
        at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkServerTrusted(ProvX509TrustManager.java:176)
        at org.bouncycastle.jsse.provider.ExportX509TrustManager_7.checkServerTrusted(ExportX509TrustManager_7.java:49)
        at com.vmware.vcf.secure.truststore.DynamicTrustManager.checkServerTrusted(DynamicTrustManager.java:49)
        at io.netty.handler.ssl.util.X509TrustManagerWrapper.checkServerTrusted(X509TrustManagerWrapper.java:69)
        at org.bouncycastle.jsse.provider.ImportX509TrustManager_7.checkServerTrusted(ImportX509TrustManager_7.java:62)
        at org.bouncycastle.jsse.provider.ProvSSLEngine.checkServerTrusted(ProvSSLEngine.java:150)
        at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(ProvTlsClient.java:378)
        at org.bouncycastle.tls.TlsUtils.processServerCertificate(TlsUtils.java:4834)
        at org.bouncycastle.tls.TlsClientProtocol.handleServerCertificate(TlsClientProtocol.java:797)
        at org.bouncycastle.tls.TlsClientProtocol.receive13ServerCertificate(TlsClientProtocol.java:1589)
        at org.bouncycastle.tls.TlsClientProtocol.handle13HandshakeMessage(TlsClientProtocol.java:160)
        at org.bouncycastle.tls.TlsClientProtocol.handleHandshakeMessage(TlsClientProtocol.java:366)
        at org.bouncycastle.tls.TlsProtocol.processHandshakeQueue(TlsProtocol.java:715)
        at org.bouncycastle.tls.TlsProtocol.processRecord(TlsProtocol.java:591)
        at org.bouncycastle.tls.RecordStream.readFullRecord(RecordStream.java:209)
        at org.bouncycastle.tls.TlsProtocol.safeReadFullRecord(TlsProtocol.java:926)
        at org.bouncycastle.tls.TlsProtocol.offerInput(TlsProtocol.java:1368)
        at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(ProvSSLEngine.java:486)
        at java.base/javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:679)
        at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:310)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1445)
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:530)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:469)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:840)
Caused by: java.security.cert.CertPathValidatorException: Certificate doesn't support 'serverAuth' ExtendedKeyUsage
        at org.bouncycastle.jsse.provider.ProvAlgorithmChecker.checkEndEntity(ProvAlgorithmChecker.java:229)
        at org.bouncycastle.jsse.provider.ProvAlgorithmChecker.checkCertPathExtras(ProvAlgorithmChecker.java:181)

Resolution

Using the same CSR, issue a new certificate with the correct Extended Key Usage attributes (Server Authentication, Client Authentication) and replace the certificate file using the following steps:

  • Create the new certificate with the full chain:
    • VCF leaf cert
    • Intermediate CA
    • Root CA
  • Connect via SSH
    • Open a Secure Shell (SSH) connection to the SDDC Manager appliance as the vcf user and elevate to the root user.
  • Upload the new full chain certificate using scp to the following location: /home/vcf/vcf_https.crt
  • Backup the current certificate
    • mv /etc/ssl/certs/vcf_https.crt /etc/ssl/certs/vcf_https.crt.bak
  • Copy the new certificate file to the correct location
    • mv /home/vcf/vcf_https.crt /etc/ssl/certs/vcf_https.crt
  • Verify the correct permissions:
    • chown root:lwis /etc/ssl/certs/vcf_https.crt
    • chmod 775 /etc/ssl/certs/vcf_https.crt
  • Reload the nginx service to make the new certificate active
    • nginx -t && systemctl reload nginx
Powered by Wolken Software