Replace cert Failed: Exception found (Invalid input, not a valid PEM formatted Machine SSL certificate)
search cancel

Replace cert Failed: Exception found (Invalid input, not a valid PEM formatted Machine SSL certificate)

book

Article ID: 421558

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Replacing Machine SSL certificate from Certificate Management in vSphere Client fails with error "not a valid PEM formatted Machine SSL certificate".



  • vSphere Client logs shows error messages as below :

    /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log

    [YYYY-MM-DDTHH:MM:SS.###Z] [ERROR] tp-nio-127.0.0.1-5090-exec-6  com.vmware.vise.mvc.exception.GlobalExceptionHandler              Exception handled while processing request for /ui/certificate-ui/ctrl/certificates/tls:  com.vmware.vapi.std.errors.Error: Error (com.vmware.vapi.std.errors.error) => {
        messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
        id = com.vmware.certificatemanagement.error,
        defaultMessage = Exception found (Invalid input, not a valid PEM formatted Machine SSL certificate),
        args = [Invalid input, not a valid PEM formatted Machine SSL certificate],
        params = <null>,
        localized = <null>

  • Certificate Management service logs shows error messages as below :

    /var/log/vmware/certificatemanagement/certificatemanagement-svcs.log

    YYYY-MM-DDTHH:MM:SS.###Z [tomcat-exec-10 [] INFO  com.vmware.certificatemanagement.impl.tls.TlsReplace  opId=] Entering replace method to replace the TLS/SSL certificate ..
    YYYY-MM-DDTHH:MM:SS.###Z [tomcat-exec-10 [] ERROR com.vmware.certificatemanagement.impl.tls.TlsReplace  opId=] Invalid PEM string for MACHINE_SSL certificate malformed PEM data encountered
    YYYY-MM-DDTHH:MM:SS.###Z [tomcat-exec-10 [] ERROR com.vmware.certificatemanagement.impl.tls.TlsReplace  opId=] TLS Certificate replacement failed : Invalid input, not a valid PEM formatted Machine SSL certificate
    YYYY-MM-DDTHH:MM:SS.###Z [tomcat-exec-10 [] ERROR com.vmware.certificatemanagement.vapi.impl.TlsProviderImpl  opId=] Exception was thrown while executing set:
    com.vmware.certificatemanagement.impl.exceptions.InvalidArgumentException: Invalid input, not a valid PEM formatted Machine SSL certificate
            at com.vmware.certificatemanagement.impl.tls.TlsReplace.replaceMachineCert(TlsReplace.java:97) ~[service-0.0.1-SNAPSHOT.jar:?]

Environment

vCenter Server 8.x

Cause

  • This issue is observed when the Machine SSL Certificate file used in the certificate replacement wizard is corrupted and not in valid Base-64 format.
  • Opening the certificate from Windows Desktop fails with below error, which confirms that the file is not in the certificate format :

Resolution

  1. Get a valid Base-64 encoded Certificate from the Custom CA Server, follow KB Obtaining vSphere certificates from a Microsoft Certificate Authority
  2. Open (double-click on the cert file) the certificate on Windows to make sure the file is in proper certificate format and export it as Base-64 by following below procedure.

    1. Click on Details



    2. Click on Copy to File



    3. Click Next



    4. Select Base-64 encoded X.509 (.CER) and Click Next



    5. Enter the file path and Click Next



    6. Click Finish



  3. Use the exported Base-64 formatted file during Certificate Replacement Wizard.

Additional Information

  • The Machine SSL Certificate file should have below order for Intermediate and Root CA

    UI Screenshot for machine ssl file upload:


    -----BEGIN CERTIFICATE-----
    <alphanumeric certificate characters>       <-----Machine SSL Certificate
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    <alphanumeric certificate characters>       <-----Intermediate 1 Certificate
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
     <alphanumeric certificate characters>      <-----Intermediate 2 Certificate
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
     <alphanumeric certificate characters>      <-----Root Certificate
    -----END CERTIFICATE-----

  • The "Root Chain" certificate file should be in below order for Intermediate and Root CA

    UI Screenshot for root chain file upload:


    -----BEGIN CERTIFICATE-----
    <alphanumeric certificate characters>       <-----Intermediate 1 Certificate
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
     <alphanumeric certificate characters>      <-----Intermediate 2 Certificate
    -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
     <alphanumeric certificate characters>      <-----Root Certificate
    -----END CERTIFICATE-----

  • Refer to Add Custom Certificates Using the vSphere Client. for more information.
Powered by Wolken Software