"Could not retrieve trusted root certificates from vCenter" error when importing vCenter into VCF Operations 9
search cancel

"Could not retrieve trusted root certificates from vCenter" error when importing vCenter into VCF Operations 9

book

Article ID: 418133

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

  • When importing a vCenter it fails on the Precheck Stage with error "Could not retrieve trusted root certificates from vCenter <vCenterFQDN>" 
  • In /var/log/vmware/vcf/domainmanager/domainmanager.log the following errors are shown: 

    DEBUG [vcf_dm,0f1a0aa297e247be,7a71] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7200-exec-5]  Processing localizable exception Could not retrieve trusted root certificates from vCenter <vCenterFQDN>.

    2025-11-12T21:06:35.351+0000 ERROR [vcf_dm,0f1a0aa297e247be,7a71] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7200-exec-5]  [477KEC] FAILED_TO_RETRIEVE_VC_TRUSTED_ROOT_CERTS Could not retrieve trusted root certificates from vCenter <vCenterFQDN>.

    Caused by: org.springframework.web.client.HttpServerErrorException$InternalServerError: 500 : "{"errorCode":"CERT_VALIDATION_ERROR","arguments":[],"message":"Error while validating certificate","causes":[{"type":"java.security.cert.CertificateExpiredException","message":"NotAfter: <cert expiry date>"}],"referenceToken":"V9V8CJ"}"

  • When importing vCenter 9.0.1 we can see the following error message. 

    /var/log/vmware/vcf/lcm/lcm.log

    INFO  [common,0f18f03058cf4a53,f3fa] [c.v.e.s.a.u.a.r.v.AddressAttributesController,http-nio-127.0.0.1-7100-exec-13] Getting [SSL, IPv4] attribute for [vcsa.domain.com] with DNS domain null

    INFO  [common,0f18f03058cf4a53,f3fa] [o.b.jsse.provider.ProvTlsClient,http-nio-127.0.0.1-7100-exec-13] [client #1964 @4b1f0f40] opening connection to vcsa.domain.com:443

    WARN  [common,0f18f03058cf4a53,f3fa] [c.v.v.s.config.TrustAllTrustManager,http-nio-127.0.0.1-7100-exec-13] Trusting server

    INFO  [common,0f18f03058cf4a53,f3fa] [o.b.jsse.provider.ProvTlsClient,http-nio-127.0.0.1-7100-exec-13] [client #1964 @4b1f0f40] established connection with vcsa.domain.com:443

    INFO  [common,0f18f03058cf4a53,f3fa] [o.b.jsse.provider.ProvTlsClient,http-nio-127.0.0.1-7100-exec-13] [client #1964 @4b1f0f40] disconnected from vcsa.domain.com:443

    INFO  [common,0f18f03058cf4a53,f3fa] [c.v.e.s.common.util.NetworkService,http-nio-127.0.0.1-7100-exec-13] Resolved FQDN vcsa.domain.com to an IP ##.##.##.##.

    INFO  [common,4504e5afae5747fe,0caf] [c.v.v.r.r.a.c.v.ResourceFunctionalitiesController,http-nio-127.0.0.1-7100-exec-22] Going to get allowed global configuration for resource functionalities

    INFO  [common,4504e5afae5747fe,0caf] [c.v.e.s.i.s.BlockedFunctionalityInventoryServiceImpl,http-nio-127.0.0.1-7100-exec-22] Going to determine if there is a global resource functionalities block.

    INFO  [common,4504e5afae5747fe,0caf] [c.v.e.s.i.d.s.c.BlockedFunctionalityClientImpl,http-nio-127.0.0.1-7100-exec-22] Found following globally blocking records: []

    INFO  [common,4504e5afae5747fe,0caf] [c.v.v.l.a.a.ActivityLoggingInterceptor,http-nio-127.0.0.1-7100-exec-22] {"username":"vcfsvcs","timestamp":"Date.time","clientIP":"127.0.0.1","userAgent":"Swagger-Codegen/1.0.0/java","api":"/v1/resource-functionalities/global","httpMethod":"GET","httpStatus":200,"operation":"Get Resource Functionalities Allowed Global Configuration","remoteIP":"127.0.0.1","duration":1}

    [common,691ca0b647ea0545209ba4038158003e,58e6] [c.v.e.s.a.u.a.r.CertificateController,http-nio-127.0.0.1-7100-exec-21] Add Certificate to truststore

    ERROR [common,691ca0b647ea0545209ba4038158003e,58e6] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7100-exec-21] [TFLBJO] CERT_VALIDATION_ERROR Error while validating certificate

    Caused by: java.security.cert.CertificateExpiredException: NotAfter: <Cert expiry date>



Environment

VCF 9.x

Cause

 SDDC Manager is attempting to add a certificate to the truststore, but the operation fails because the certificate being validated has expired. This is resulting in a CERT_VALIDATION_ERROR.

Resolution

1. Remove the expired certificate(s) from the vCenter trusted root store following KB: vCert - Scripted vCenter expired certificate replacement 

2. Verify if expired certificates are present in the SDDC Manager's trusted certificate store and remove them if found.

  • SSH to SDDC Manager with vcf user and su to root.
  • Retrieve the trust store password:

    KEY=$(cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key)

  • List certificates in the trust store:

    keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $KEY
  • Delete expired certificates by alias:

    keytool -delete -alias <aliasname> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $KEY

3. Start the import task over and try again. 

Additional Information

Similar KB: The VMware Cloud Foundation (VCF) installation failed at the vCenter certificate installation stage, showing the error: "Failed to install certificates on VCF Installer."

Powered by Wolken Software