"An error occurred while sending an authentication request to the PSC Single Sign-On server - null" while connecting to PSC Client after upgrading vCenter Server to 6.5
search cancel

"An error occurred while sending an authentication request to the PSC Single Sign-On server - null" while connecting to PSC Client after upgrading vCenter Server to 6.5

book

Article ID: 315295

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • After upgrading vCenter Server, connecting to the Platform Service Controller UI https://PSC-FQDN/PSC fails with the error:

HTTP Status 400 - An error occurred while sending an authentication request to the PSC Single Sign-On server - null

type Status report

message An error occurred while sending an authentication request to the PSC Single Sign-On server - null

description The request sent by the client was syntactically incorrect.



Environment

VMware vCenter Server 6.5.x

Cause

This HTTP Status 400 error occurs because the VECS store STS_INTERNAL_SSL_CERT copied over the certificate chain during an upgrade or possibly improper certificate replacement.

Resolution

To resolve the  HTTP Status 400 - An error occurred while sending an authentication request to the PSC Single Sign-On server - null issue, update the STS_INTERNAL_SSL_CERT to the leaf certificate from MACHINE_SSL_CERT certificate store.

To update the STS_INTERNAL_SSL_CERT to the leaf certificate:

  1. Validation:​​​​
    1. Check the STS_INTERNAL_SSL_CERT store. This should be a single leaf certificate. If the store contains the chain certificate or an invalid certificate, this will need to be corrected.
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store STS_INTERNAL_SSL_CERT
 
  1. Backup:
    1. ​​Export the certificate from MACHINE_SSL_CERT store.
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output ~/entry__MACHINE_CERT-getcert.txt
  1. Export the private key from MACHINE_SSL_CERT store.

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output ~/entry__MACHINE_CERT-getkey.txt
 

  1. Copy certificate leaf:​
    1. The certificate leaf is the top most certificate of the chain file. Use preferred text editor to the first certificate denoted by and including -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----. Save this to the file leaf_MACHINE_CERT.pem.
    2. Validate the certificate is correct.
openssl x509 -in ~/leaf_MACHINE_CERT.pem -noout -text
  1. Validate public keys are matching using openssl.

openssl pkey -in ~/entry__MACHINE_CERT-getkey.txt -pubout -outform pem | sha256sum

openssl x509 -in ~/leaf_MACHINE_CERT.pem -pubkey -noout -outform pem | sha256sum

If validation is correct proceed, else troubleshoot any errors and mismatches regenerating certificates as needed.
  1. Recreate the entry in the VECS store:
    1. Create backup of ​​STS_INTERNAL_SSL_CERT and Delete the existing entry.​​
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output ~/sts_internal_Cert_backup.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output ~/sts_internal_Cert_backup.key

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT
  1. Create a new entry of the same name pointing to the same key (from step 2.b) and leaf certificate (from step 3.a).

/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert ~/leaf_MACHINE_CERT.pem --key entry__MACHINE_CERT-getkey.txt

  1. Stop and start all services (Alternative reboot VCSA)

service-control --stop --all

service-control --start --all 

 

Powered by Wolken Software