New WLD deployment failing with "Failed to get the SDDC Local Certificate Chain from certificate management"
search cancel

New WLD deployment failing with "Failed to get the SDDC Local Certificate Chain from certificate management"

book

Article ID: 427259

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

After adding an Active Directory Certificate Authority to SDDC Manager and replacing the certificates, a new WLD deployment fails during certificate validation. The task will fail with the following error presented in the UI: 

Failed to get the SDDC Local Certificate Chain from certificate management

In the vcf-commonsvcs.log file, you may see an error similar to the following: 
 
####-##-##T##:##:##.###+0000 INFO  [common,696eba49494a0115d9041ada4d9a3978,3e9a] [c.v.e.s.s.tools.cert.CertificateUtil,http-nio-127.0.0.1-7100-exec-62] In getSubjectAltNames <sddc-mgmt-fqdn>
####-##-##T##:##:##.###+0000 ERROR [common,696eba49494a0115d9041ada4d9a3978,3e9a] [c.v.e.s.a.u.a.r.CertificateController,http-nio-127.0.0.1-7100-exec-62] Internal service error
java.lang.ClassCastException: class org.bouncycastle.jcajce.provider.ProvECPublicKey cannot be cast to class java.security.interfaces.RSAPublicKey (org.bouncycastle.jcajce.provider.ProvECPublicKey is in unnamed module of loader 'app'; java.security.interfaces.RSAPublicKey is in module java.base of loader 'bootstrap')

####-##-##T##:##:##.###+0000 ERROR [common,696eba49494a0115d9041ada4d9a3978,3e9a] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7100-exec-62] [AOB2RE] APPLIANCE_INTERNAL_SERVER_ERROR Appliance utilities internal server error
com.vmware.evo.sddc.appliance.utilities.error.ApplianceException: Appliance utilities internal server error
        at com.vmware.evo.sddc.appliance.utilities.api.rest.CertificateController.getLocalCertificateChain(CertificateController.java:122)

Caused by: java.lang.ClassCastException: class org.bouncycastle.jcajce.provider.ProvECPublicKey cannot be cast to class java.security.interfaces.RSAPublicKey (org.bouncycastle.jcajce.provider.ProvECPublicKey is in unnamed module of loader 'app'; java.security.interfaces.RSAPublicKey is in module java.base of loader 'bootstrap')

Environment

VCF 9.0.1

Cause

This is caused by an EC-based (ECDSA) certificate being included in the current certificate chain which is not currently supported on the full VCF stack.

To confirm, review the certificates in place and validate the Signature Algorithm:
        
Signature Algorithm: ecdsa-with-SHA384
Issuer: CN=######-ROOT-CA
Validity
    Not Before: MO DY ##:##:## YEAR GMT
    Not After : MO DY ##:##:## YEAR GMT
Subject: CN=######-ROOT-CA
Subject Public Key Info:
    Public Key Algorithm: id-ecPublicKey
        Public-Key: (384 bit)

 

 

Resolution

To resolve this issue, replace the current certificates with new certificates that DO NOT include the ECDA algorithm in any part of the chain. 

For more information on the certificate replacement process, see the VCF9 certificate management documentation here - Managing Certificates in VMware Cloud Foundation 

Support for EC-based certificates is planned for a future release of VCF. 

Additional Information

Importing custom SSL certificates into vCenter fails with an error "Certificate uses unsupported signature algorithm - ecdsa-with-SHA256"

vSphere Certificate Requirements for Different Solution Paths

Powered by Wolken Software