Linking vCenter Servers using cmsso-util fails with error Pre-checks failed - The SSL certificate of STS service cannot be verified against the list of client-trusted certificates.
search cancel

Linking vCenter Servers using cmsso-util fails with error Pre-checks failed - The SSL certificate of STS service cannot be verified against the list of client-trusted certificates.

book

Article ID: 424872

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Configuring linked mode using cmsso-util on vCenter Server fails with error Pre-checks failed :

    License Pre-Check             … Done
    Starting Authz Data export    … Failed
    Conflict data, if any, can be found under /storage/domain-data/Conflict*.json
    Pre-checks failed.

  • Domain repoint operation log shows entries as below:

    /var/log/vmware/cloudvm/cmsso_util.log

    YYYY-MM-DDTHH:MM:SS.##Z INFO cmsso_util Failed executing <cis.component_data.DcComponentsPreCheck object at 0x7f69b6b132b0>
    YYYY-MM-DDTHH:MM:SS.##Z ERROR cmsso_util Failed to run pre-checks for domain consolidation.
    YYYY-MM-DDTHH:MM:SS.##Z INFO cmsso_util Cleaning up the temp directories

    /var/log/vmware/cloudvm/domain_consolidator.log

    YYYY-MM-DDTHH:MM:SS.###Z INFO domain_consolidator Starting Authz Data export
    YYYY-MM-DDTHH:MM:SS.###Z INFO domain_consolidator RC = 1
    Stderr = Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M -Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true     -Dorg.apache.xml.security.ignoreLineBreaks=true
    Exception in thread "main" java.lang.Exception: QueryClient creation failed for <VC_FQDN>. Check 'domain_data_export.log'
            at com.vmware.vim.dataservices.ExportAuthzData.main(ExportAuthzData.java:235)
    YYYY-MM-DDTHH:MM:SS.###Z INFO domain_consolidator Export of authz failed

    /var/log/vmware/cloudvm/domain_data_export.log

    DD.MM.YYYY HH:MM:SS, ### [main [] DEBUG com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager opId-]- The SSL certificate of STS service cannot be verified against the list of client-trusted certificates
    sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456) ~[?:1.8.0_452]

Environment

  • vCenter Server 8.x

Cause

This issue is caused when the Machine SSL certificate of a vCenter Server differs from the certificate stored in the lookup service (trust anchor mismatch).

Resolution

Correct the SSL Trust Anchor mismatch in Lookup Service using the "lsdoctor" utility, refer KB Using the 'lsdoctor' Tool.

  1. Copy the lsdoctor utility to the vCenter Server.
  2. Login to vCenter Server as root account using SSH.
  3. Execute "lsdoctor --trustfix" command to correct the trust mismatch.

    lsdoctor --trustfix

  4. Retry the Domain Repoint operation using cmsso-util.
Powered by Wolken Software