VCF 9.0 deployment fails due to certificate error "FAILED_TO_IMPORT_VC_TRUSTED_ROOT_CERTIFICATE"
search cancel

VCF 9.0 deployment fails due to certificate error "FAILED_TO_IMPORT_VC_TRUSTED_ROOT_CERTIFICATE"

book

Article ID: 412637

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

Deploying VCF 9.0 with Custom CA certificate fails. Please validate the issue by referencing below mentioned methods and take action suggested in Resolution section of this article to resolve the issue.

  • Log reference stating validation error as PEM stored with multiple certificates

/var/log/vmware/vcf/domainmanager/domainmanager.log

YYYY-MM-DDTHH:MIN:SEC DEBUG [vcf_dm,] [c.v.v.v.v.VcCertificateManagementServiceImpl,] Getting trusted root chain '82##A11' from {}
YYYY-MM-DDTHH:MIN:SEC DEBUG [vcf_dm,] [c.v.vcf.vapi.vsphere.VapiRestClient,] Executing REST request: Type GET, URL https://<vCenter FQDN>/rest/vcenter/certificate-management/vcenter/trusted-root-chains/82##A11
YYYY-MM-DDTHH:MIN:SEC DEBUG [vcf_dm,] [c.v.vcf.vapi.vsphere.VapiRestClient,] Successfully executed REST request with body: , and received response with body: {"value":{"cert_chain":{"cert_chain":["*****"]}}}
YYYY-MM-DDTHH:MIN:SEC DEBUG [vcf_dm,] [c.v.v.v.v.VcCertificateManagementServiceImpl,] Getting trusted root chain 'F4##AE' from {}
YYYY-MM-DDTHH:MIN:SEC DEBUG [vcf_dm,] [c.v.vcf.vapi.vsphere.VapiRestClient,] Executing REST request: Type GET, URL https://<vCenter FQDN>/rest/vcenter/certificate-management/vcenter/trusted-root-chains/F4##AE
YYYY-MM-DDTHH:MIN:SEC DEBUG [vcf_dm,] [c.v.vcf.vapi.vsphere.VapiRestClient,] Successfully executed REST request with body: , and received response with body: {"value":{"cert_chain":{"cert_chain":["*****"]}}}
YYYY-MM-DDTHH:MIN:SEC ERROR [vcf_dm,] [c.v.e.s.o.model.error.ErrorFactory,] [Token ID] FAILED_TO_IMPORT_VC_TRUSTED_ROOT_CERTIFICATE Failed to import certificate in vCenter <vCenter FQDN> trusted root certificates
com.vmware.evo.sddc.orchestrator.exceptions.OrchTaskException: Failed to import certificate in vCenter <vCenter FQDN> trusted root certificates at com.vmware.evo.sddc.vsphere.contract.ImportTrustedRootCertificatesAction.postValidate(ImportTrustedRootCertificatesAction.java:156)
........
Caused by: java.lang.RuntimeException: java.security.cert.CertificateException: java.security.cert.CertificateException: Can't get single X509 certificate from PEM. More than one certificate in PEM.

  • Example root and subordinate certificate syntax that has been incorrectly stated in json file.

"certChain": [

"-----BEGIN CERTIFICATE----- ####-----END CERTIFICATE-----\n,-----BEGIN CERTIFICATE----- ####-----END CERTIFICATE-----\n"

]

Environment

VCF 9.x

Cause

Incorrect format in certChain field stated in json file leads to this error. The field expects all the elements from the chain to be supplied as individual elements in the json array.

Resolution

  • Remove the trusted certificate entry from vCenter
  • Update the securitySpec as shown below

     "certChain": [
       "-----BEGIN CERTIFICATE----- ####-----END CERTIFICATE-----\n",
       "-----BEGIN CERTIFICATE----- ####-----END CERTIFICATE-----\n"
      ]

  • Run the installer with updated spec. 

Additional Information

Further reference to example format can be found in Deploy the Management Domain Using ESXi Hosts with External Certificates

Powered by Wolken Software