vCenter Server or Platform Services Controller certificate validation error for external VMware Solutions in vSphere 6.0
search cancel

vCenter Server or Platform Services Controller certificate validation error for external VMware Solutions in vSphere 6.0

book

Article ID: 322261

calendar_today

Updated On:

Products

VMware Aria Suite VMware Live Recovery VMware vCenter Server VMware vSphere ESXi VMware Integrated OpenStack VMware NSX

Issue/Introduction

Some solutions, such as VMware vCenter Site Recovery Manager, VMware vSphere Replication, or VMware vCenter Support Assistant might be installed on a different machine than the vCenter Server system or Platform Services Controller.
 

If you replace the Machine SSL certificate on the vCenter Server or the Platform Services Controller, a connection error results if the solution attempts to connect to the vCenter Server or Platform Services Controller. The reason is that the vCenter Server system and the Platform Services Controller use the new certificate, but the corresponding service registrations with the VMware Lookup Service are not updated. When solutions connect to vCenter Server or Platform Services Controller, they look at the service registration, which includes the service URL and the sslTrust string. By default, the sslTrust string is the Base 64 encoded old certificate even if you replaced the certificate successfully.
 
The following errors are observed when you attempt to connect to the vCenter Server or the Platform Services Controller:
  • vSphere Replication

    Unable to obtain SSL certificate: The vCenter Server vCenter_FQDN is not correctly registered in LookupService
     
  • vRealize Orchestrator

    vSphere Authentication configuration fails with error Failed with error : Error ! An error occurred while retrieving the Single Sign-On token from; https://vCenter/lookupservice/sdk

    In the controlcenter.log, you see entries similar to:


    2017-06-20 10:29:53.766+0000 [https-jsse-nio-8283-exec-2] WARN [SiteAffinityServerEndpointProvider] CDC not configured java.lang.NoClassDefFoundError: com/vmware/identity/cdc/CdcFactory
    2017-06-20 10:29:53.776+0000 [https-jsse-nio-8283-exec-2] ERROR [ConfigureAuthProvider] [########-23b0-4cb9-9583-############] Register authentication error: authentication: Authentication: state = CONNECTED, url =
    https://##.##.##.##/lookupservice/sdk , certificateAlias = vco.vsphere.lookup-service.ssl.certificate, username = [email protected] , password = ******, importCertificates = false, configureLicences = true, certificate = [TrustedEntity [id=vco.vsphere.lookup-service.ssl.certificate, [## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##], TrustedEntity [id=imported:3351b814-6d13-44a5-8
    e84-4b99d38ad917, [## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##], TrustedEntity [id=imported:7251f30f-####-####-####-4a836890c6f0, [## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##]
    ]], service provider host =
    https://##.##.###.###:8283 Sso Authentication: ssoUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@258c72f6 , stsUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@258c72f6 , adminUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@2df8d253 , ssoSslAlias = vco.sso.ssl.certificate, authenticationTokenType = saml, clientId = null, clientSecret = , adminGroup = null, adminGroupDomain = null, defaultTenant = vsphere.local, ssoClockTolerance = 300, tokenLifetimeInSeconds = 7776000, ssoTokenRenewCount = 5
    com.vmware.vim.sso.admin.exception.CertificateValidationException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint doesn't match
    at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.execute(VmomiClientCommand.java:112)
    at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringNoDomainError(VmomiClientCommand.java:217)
    at com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl.createServiceContent(AdminClientImpl.java:334)


     
  • vCenter Site Recovery Manager

    SRM server with GUID GUID of vCenter not paired.
    Failed to connect to vCenter Server at vCenter_FQDN:443/sdk. Reason:
    com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified.

     
  • VMware NSX for vSphere (NSX-v)

    NSX Management Service operation failed.(Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service, com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified)
     
  • VMware Integrated OpenStack

    Connection failed!
    Please check whether the server has enabled SSO from management server log at:/installer.log.


    In the VMware Integrated OpenStack installer.log file, you see entries similar to:

    [2015-04-10 14:49:18,848 main ERROR com.vmware.vim.install.impl.AdminServiceAccess] com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    [2015-04-10 14:49:18,849 main DEBUG com.vmware.vim.install.impl.AdminServiceAccess]
    com.vmware.vim.sso.admin.exception.CertificateValidationException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified

     
  • VMware vCenter Support Assistant

    Something failed. Try Again.
    com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    Server certificate chain not verified
    peer not authenticated

     
  • VMware Customer Experience Improvement Program

    The vSphere Web Client reports:

    Error occurred while processing request. Check vSphere WebClient logs for details.

    The vsphere_client_virgo.log reports an error similar to:

    [2015-10-07T13:08:41.001Z] [ERROR] http-bio-9090-exec-3 70000101 100009 200004 com.vmware.vsphere.client.ceip.impl.CeipServiceImpl Error occurred in showNotification. com.vmware.vim.binding.vmodl.fault.SystemError: Internal server error.

    For more information on log locations, see Location of VMware vCenter Server 6.0 log files (2110014).

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment..
The problem occurs in any of these situations:
  • You replace the machine SSL certificate on an embedded deployment.
  • You replace the machine SSL certificate on the Platform Services Controller in an installation with an external Platform Services Controller.
  • You replace the machine SSL certificate on a vCenter Server system in an installation with an external Platform Services Controller.



Environment

VMware vCenter Support Assistant 6.0.x
VMware vCenter Site Recovery Manager 6.0.x
VMware vCenter Server 6.0.x
VMware NSX for vSphere 6.1.x
VMware vSphere Replication 6.0.x
VMware vCenter Server Appliance 6.0.x
VMware Integrated OpenStack 1.0.x

Resolution

 
 
Notes:
  • Installing vCenter Server 6.0 update 1b on a system that is affected does not resolve the issue until you replace the certificates again.
  • The update resolves the issue for certificate replacement with the Certificate Manager utility. The update does not resolve the issue for certificate replacement from the Services Controller UI.
 
You can resolve this issue when using the Platform Services Controller UI to replace the certificates, by running the ls_update_certs script on the Platform Services Controller. With external solutions, certificate replacement proceeds as follows:
  • Extract the old certificate from your vCenter Server system or Platform Services Controller for later use.
  • Perform the certificate replacement, either by using the Certificate Manager utility or by running certificate management CLI commands.
  • Run the ls_update_certs script, passing in the old certificate and new certificate.