Remediating desired state cluster configuration fails with error 'The server certificate does not match the provided'

search cancel

Remediating desired state cluster configuration fails with error 'The server certificate does not match the provided'

book

Article ID: 415820

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Checking cluster desired state configuration you observe the warning:
```
Host is out of compliance with desired configuration
```

Remediating the cluster compliance using either 'Export & Import configuration' or 'Import from host' fails another error:

com.vmware.vcIntegrty contains a vSphere Configuration Plugin file that failed to Download('The server certificate does not match the provided')

Reviewing the VUM plugin log, /var/log/vmware/vmware-updatemgr/vum-server/pluginrunner.log, you see error similar to:

Unable to download com.vmware.vcIntegrity plugins
...
SSLCertVerificationError('The server certificate does not match the provided certificate')

Environment

VMware vCenter Server 7.0.x

VMware vCenter Server 8.0.x

Cause

This issue occurs, when the certificate chain for the vCenter machine SSL certificate stored in /etc/vmware-vpx/ssl/rui.crt is not in the correct order Leaf > Intermediary CA > Root CA (from top to bottom).
Output from executing command identifies the certificate chain is in the incorrect order:

# openssl s_client -connect VC_FQDN:443 -showcerts

For example the chain might be in this order:

-----BEGIN CERTIFICATE-----
(leaf certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root CA certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediary CA certificate)
-----END CERTIFICATE-----When the Certificate should be chained as follows:
See KB, How to correctly chain custom certificate for vCenter
-----BEGIN CERTIFICATE-----
(leaf certificate)
-----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (intermediary CA certificate) -----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root CA certificate)
-----END CERTIFICATE-----

Resolution

To fix this issue, please make sure that a fresh backup or snapshot of the vCenter Server Appliance (VCSA) exists. If the affected VCSA is part of an Enhanced Linked Mode (ELM) replication setup, please keep in mind that you need to have offline snapshots (in powered off state) of all of the ELM members. Then take the following steps:

Open an SSH connection to the vCenter Server Appliance and login with the root account
Edit the rui.crt file using the VI editor:
```
vi /etc/vmware-vpx/ssl/rui.crt
```

Chain the certificates in the correct order, with the leaf (endpoint) certificate at the top, followed by the intermediate CA certificate(s) and the root CA certificate at the bottom, like so:

-----BEGIN CERTIFICATE-----
(leaf certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediary CA certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root CA certificate)
-----END CERTIFICATE-----

Restart the vCenter Services:

service-control --stop --all && service-control --start --all

Retry preferred import desired state configuration & remediate

Feedback

thumb_up Yes

thumb_down No