vCenter server not visible in Enhanced Linked Mode due to a Trusted roots store certificate chain mismatch
search cancel

vCenter server not visible in Enhanced Linked Mode due to a Trusted roots store certificate chain mismatch

book

Article ID: 416985

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • One or more vCenter Servers fail to appear in the Enhanced Linked Mode (ELM) configuration, where other vCenter Servers may be visible.
  • when running the ELM precheck you may see the error:
    "Starting Authz Data export ... failed" Conflict data (if any) can be found under /storage/domain-data/conflict.json. Checked this location, no file present"
  • in the vsphere_client_virgo.log  you should see

    Caused by: com.vmware.vcenter.apigw.security.AuthenticationException: Failed to log into [uri=http://localhost:1080/external-vecs/http2/vCenter fqdn/443/apigw, sessionMgr=SessionManagerInfo
    [_sessionMgrSvcId=com.vmware.cis.session, _loginOpId=create, _logoutOpId=delete], ssoDomain=vsphere.local(service uuid)]
            ... 22 common frames omitted
    Caused by: com.vmware.vapi.client.exception.InvalidSslCertificateException: HTTP response with status code 526 (enable debug logging for details)
            at com.vmware.vapi.internal.protocol.client.rpc.http.ApacheHttpUtil.validateHttpResponse(ApacheHttpUtil.java:97)
            at com.vmware.vapi.internal.protocol.client.rpc.http.handle.NioSingleResponseConsumer.responseCompleted(NioSingleResponseConsumer.java:61)
            ... 16 common frames omitted

Environment

  • VMware vCenter Server 7.0
  • VMware vCenter Server 8.0

Cause

This occurs when there is a mismatch in the Trusted roots store chains on one of the vCenters

Resolution

1. check the number of certificates in the  trusted roots store of each vCenter
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text

2. identify the alias of the missing certificate

3. pull the missing certificate using the alias
 /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store trusted_roots --alias <alias>--output /root/cert.crt
where  <alias> is the alias from step 2

4. upload the cert.cer file generated in step3 to the vCenter missing it

5. publish the certificate on the vCenter missing it
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert <path to cert.crt>

for example:
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert  /root/cert.crt

Powered by Wolken Software