"error 2 at 1 depth lookup: unable to get issuer certificate." while replacing the certificates
search cancel

"error 2 at 1 depth lookup: unable to get issuer certificate." while replacing the certificates

book

Article ID: 320211

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Issue while replacing the certificates for vCenter.
  • Running the certificate-manager to change the certificates fails with an error:
error 2 at 1 depth lookup: unable to get issuer certificate at 0 %
  • In the certificate-manager.log file, you see entries similar to:

2017-08-24T11:53:04.450Z INFO certificate-manager Command executed successfully
2017-08-24T11:53:04.450Z INFO certificate-manager Certificate backup created successfully>
2017-08-24T11:53:04.451Z INFO certificate-manager Running command :- ['D:\\Program Files\\VMware\\vCenter Server\\/openSSL/openssl.exe', 'verify', '-CAfile', 'D:\\CSR\\Vcenter_certificate2\\ROOT.cer', 'D:\\CSR\\Vcenter_certificate2\\Machine_SSL.cer']
2017-08-24T11:53:04.540Z INFO certificate-manager Command output :- >
D:\CSR\Vcenter_certificate2\Machine_SSL.cer: DC = group, DC = essilor, DC = asia, CN = asia-SGDC1CERT001P-IssuingCA
error 2 at 1 depth lookup:unable to get issuer certificate

2017-08-24T11:53:04.543Z ERROR certificate-manager D:\CSR\Vcenter_certificate2\Machine_SSL.cer: DC = group, DC = essilor, DC = asia, CN = asia-SGDC1CERT001P-IssuingCA
error 2 at 1 depth lookup:unable to get issuer certificate

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.



Environment

VMware vCenter Server Appliance 6.7.x
VMware vCenter Server Appliance 6.5.x

Resolution

To resolve this issue:
 
  • Check if the Certificate Chain is complete and contains the full chain which looks similar as below:
----BEGIN CERTIFICATE-----
[SECONDARY INTERMEDIATE CERTIFICATE]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[PRIMARY INTERMEDIATE CERTIFICATE]
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
[ROOT CERTIFICATE]
-----END CERTIFICATE-----
  • Use openssl to double check the issuer and the subject field of a given certificate
echo " ----BEGIN CERTIFICATE----- [SECONDARY INTERMEDIATE CERTIFICATE] -----END CERTIFICATE-----" | openssl x509 -in /dev/stdin -noout -text | grep -i "subject\|issuer" echo " ----BEGIN CERTIFICATE----- [PRIMARY INTERMEDIATE CERTIFICATE] -----END CERTIFICATE-----" | openssl x509 -in /dev/stdin -noout -text | grep -i "subject\|issuer" echo " ----BEGIN CERTIFICATE----- [ROOT CERTIFICATE] -----END CERTIFICATE-----" | openssl x509 -in /dev/stdin -noout -text | grep -i "subject\|issuer"
*Remember to change the command in order to reflect the information from your environment.
  • For the "SECONDARY INTERMEDIATE CERTIFICATE" the Issuer should be the Subject of the "PRIMARY INTERMEDIATE CERTIFICATE"
  • For the "PRIMARY INTERMEDIATE CERTIFICATE" the Issuer should be the Subject of the "ROOT CERTIFICATE"
  • For the "ROOT CERTIFICATE" the Issuer should be the Subject of the "ROOT CERTIFICATE"
  • If this is not the case there is one or more certificate missing and you should double check the files received by the CA
Note: In most of the cases, the intermediate cert or root CA is affected.

Additional Information

"error 20 at 0 depth lookup:unable to get local issuer certificate"

Powered by Wolken Software