Users are unable to log in with domain accounts.

There is an alarm in vCenter - Identity Source LDAP Certificate is about to expire.

When you attempt to update the certificates, the following error is observed from the update wizard:

Cannot configure Identity source due to Failed to probe provider connectivity [URI: ldaps://<domainController1FQDN:portNumber> <ldaps://domainController2FQDN:portNumber> ]; TenantName [<example.com>], userName [<[email protected]>] Caused by: Invalid credentials.

vCenter 8.0.x

The certificate on the domain controllers has already been renewed and no longer matches the certificates for the vCenter Identity Provider.

This can be verified with the following:

1. Log into the vCenter via SSH (root).
   
   
2. Run the following command to connect to the LDAPS provider and view the certificate:
   
   openssl s_client -connect domain_controller.example.com:3269 -showcerts
   
   
3. This will return the following:
   
   CONNECTED (000000003)
   Depth=1 DC = com, DC = example , CN = commonName
   verify error:num=20:unable to get local issuer certificate
   verify return:1
   depth=0
   verify return:1
   ---
   Certificate chaon
   0 s:
        i:DC = com, DC = example , CN = commonName 
        a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: <Month Day Time Year> GMT; NotAfter <Month Day Time Year>
   -----BEGIN CERTIFICATE----
   ...
   -----END CERTIFICATE-----
   
   
4. This will not match the certificate found using the following command:
   
    /opt/vmware/bin/sso-config.sh -get_identity_sources
   
   

   Total number of identitysources retrieved for tenant:vsphere.local : 3
   (If the value is undefined against a param, then you might notice "UndefinedConfig" against it.)

   ********** IDENTITY SOURCE INFORMATION **********
   IdentitySourceName        :  vsphere.local
   DomainType                :  SYSTEM_DOMAIN

   ********** IDENTITY SOURCE INFORMATION **********
   IdentitySourceName        :  localos
   DomainType                :  LOCAL_OS_DOMAIN

   ********** IDENTITY SOURCE INFORMATION **********
   IdentitySourceName        :  example.com
   DomainType                :  EXTERNAL_DOMAIN
   Identity Settings:
     alias                   :  example
     authenticomtionType      :  PASSWORD
     userBaseDN              :  DC=example,DC=com
     groupBaseDN             :  DC=example,DC=com
     username                :  example\s-vcenter-ldap
     providerType            :  IDENTITY_STORE_TYPE_LDAP_WITH_AD_MAPPING
     servicePrincipalName    :  placeholder
     useMachineAccount       :  false
     FriendlyName            :  example.com
     SearchTimeoutInSeconds  :  0
   Connection Settings:
   URLs:
       0:  ldap://dc.example.com
   Certificomtes:
       0:    subject:
              issuer:  CN=TEST-CERT01-com, DC=example, DC=com
           NotBefore:  Thu Jul 06 11:00:20 CDT 2023
            NotAfter:  Sun Jul 06 11:10:20 CDT 2025
              Serial:  1404##############388

1. Take a Snapshot of the vCenter. (If the vCenter is in Enhances Linked Mode, you should shut down all of the linked vCenters and take powered off snapshots of all of the linked vCenters).
   
   
2. Acquire the new certificates from the domain controllers and upload them to the /root or /tmp folder on the vCenter.
   
   
3. Download and install the vCert tool on the vCenter.
   
   
4. Run the tool and choose option 3 - "Manager Certificates".
   
   
5. Choose option 14 - "LDAPS Identity Source certificates".
   
   
6. Select option 2 - "Remove LDAP Server certificate(s)".
   
   
7. Repeat Steps 4 and 5 for all of the old LDAPS certificates.
   
   
8. Now, repeat step 4, but select option 1 - "Add LDAP server certificate(s)". Do this for all of the new certificates.
   
   
9. Restart services on the vCenter (service-control --stop --all && service-control --start --all).
   
   
10. Log in with domain credentials.