Unable to configure the Certificate Authority (CA) in the VMware Cloud Foundation Operations 9.0 environment
search cancel

Unable to configure the Certificate Authority (CA) in the VMware Cloud Foundation Operations 9.0 environment

book

Article ID: 423654

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

Configuring Certificate Authority for VCF Operations 9.0.x following the documentation Configure a Certificate Authority for VMware Cloud Foundation fails with error "Certificate Authorities update failed".
 
Found the error in the var/log/vrlcm/vmware_vrlcm.log:
YYYY-MM-DDTHH:MM:SS INFO vrlcm[1258] [http-nio-8080-exec-3] [c.v.v.l.c.a.InternalOnlyApiAspect]  -- Internal Only Check for: execution(ResponseEntity com.vmware.vrealize.lcm.locker.controller.CertificateAuthorityController.validateCA(MSCAConfigDTO,String))
YYYY-MM-DDTHH:MM:SS ERROR vrlcm[1258[httpnio8080exec3[c.v.v.l.l.c.MSCARestClient]ExceptionoccurredwhiletryingtovalidateMicrosoftCAorg.springframework.web.client.HttpClientErrorException$Unauthorized: 401 Unauthorized: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><EOL><EOL><html xmlns="http://www.w3.org/1999/xhtml"><EOL><EOL><head><EOL><EOL>401 - Unauthorized: Access is denied due to invalid credentials.</title><EOL><EOL><style>
 
Error in certificate authority configuration appears as below: 
 

Environment

VMware Cloud Foundation Operations 9.0.x
VMware Cloud Foundation Fleet Manager  9.0.x

Cause

Basic Authentication is not enabled on the Microsoft CA's web enrollment services (CertSrv).

Resolution

Recommended to enable Basic Authentication in Microsoft Certificate Authority and restart IIS service. Steps below:
  1. Enable the Basic Authentication setting on the Microsoft CA server.
  2. Log in to the Active Directory server using administrator by using a Remote Desktop Protocol (RDP) client.
  3. Add Basic Authentication to the Web Server (IIS).
    1. Click Start > Run, enter ServerManager, and click OK.
    2. From the Dashboard, click Add roles and features to start the Add Roles and Features wizard.
    3. On the Before you begin page, click Next.
    4. On the Select installation type page, click Next.
    5. On the Select destination server page, click Next.
    6. On the Select server roles page, under Web Server (IIS)Web ServerSecurity, select Basic Authentication and click Next.
    7. On the Select features page, click Next.
    8. On the Confirm installation selections page, click Install.
  4. Configure the certificate service template and CertSrv web site, for basic authentication.
    1. Click Start  > Run, enter Inetmgr.exe and click OK to open the Internet Information Services Application Server Manager.
    2. Navigate to your_server > Sites > Default Web Site > CertSrv.
    3. Under IIS, double-click Authentication.
    4. On the Authentication page, right-click Basic Authentication and click Enable.
    5. In the navigation pane, select Default Web Site.
    6. In the Actions pane, under Manage Website, click Restart for the changes to take effect.
  5. After enabling this Basic Authentication, restart Internet Information Services (IIS) on the CA server.
    1. Open IIS Manager. You can find it in Control Panel > System and Security > Administrative Tools  > Internet Information Services (IIS) Manager, or by typing inetmgr in the Run prompt (Windows Key + R).
    2. In the Connections pane on the left, select your server node (the top level in the tree).
    3. In the Actions pane on the right, under "Manage Server" click Restart
  6. To confirm the changes are applied, run the following command: curl -k -u "username@domain" -I https://<ca-fqdn>/certsrv/
  7. The response should return HTTP/1.1 200 OK.
Note: Microsoft Certificate Authority and IIS must be installed on the same server.

Additional Information

Powered by Wolken Software