Certificate replacement fails with error "Error occurred while fetching tls: String index out of range: -1"
Article ID: 415419
Updated On:
Products
Issue/Introduction
When attempting to replace the vCenter Server Machine SSL certificate with a custom CA-signed certificate, the operation fails with the error"Error occurred while fetching tls: String index out of range: -1"
Environment
VMware vCenter Server 7.x
Cause
- The error occurs when the Machine SSL certificate provided during replacement is incomplete or disordered.
- vCenter expects a complete PEM chain containing the Machine SSL, intermediate, and root CA certificates in the correct order. If any part of the chain is missing or improperly formatted, TLS validation fails and triggers the error.
Resolution
In order to resolve the issue, follow the steps mentioned below:-
-
Generate a new CSR from the vCenter Server UI.
-
Download the CSR and have it signed by the Certificate Authority (CA).
-
Download the complete certificate chain in PEM format from the CA portal.
-
In vCenter Server UI, navigate to:
Administration > Certificate Management > Machine SSL Certificate > Actions > Replace Certificate > Replace with external CA certificate (private key embedded). -
In the Machine SSL Certificate section, include the entire chain in the following order:
-----BEGIN CERTIFICATE----- <Machine SSL Certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Intermediate Certificate> -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- <Root Certificate> -----END CERTIFICATE----- -
Since the environment contains an intermediate certificate, include both the intermediate and root certificates in the Root Certificate section as well:
- Upload the complete chain and proceed with the replacement.
- Once the replacement is successful, the UI will show below details
Additional Information
For more information, refer below mentioned KB
Replace vCenter Machine SSL certificate Custom Certificate Authority Signed Certificate
Feedback
