Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5
search cancel

Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5

book

Article ID: 320208

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Log in attempts using the vSphere Web Client fail with the error:

    Failed to connect to VMware Lookup Service https://server.domain.com:7444/lookupservice/sdk - SSL certificate verification failed
     
  • The ds.log file in the Inventory Service log contains entries similar to:

    [YYYY-01-23 00:46:08,853 tomcat-exec-35 INFO com.vmware.vim.query.server.servlets.QueryServlet] Received new query request from 10.10.1.49
    [YYYY-01-23 00:46:12,413 pool-8-thread-1 WARN com.vmware.vim.dataservices.ssoauthentication.impl.CertificateProviderImpl] Failed to retrieve trusted root certificates. Retrying in 10s
    .    ..Caused by: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched...Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <VMVCSA2.firstontario.com> != <"ssoserver> OR <10.10.1.49>
  • The webclient log contains entries similar to:

    YYYY-MM-DD 13:18:17.618] [ERROR] http-bio-9443-exec-7 com.vmware.vise.vim.lookup.impl.LookupServiceImpl Error when creating lookup service com.vmware.vim
    .vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched
  • You cannot use the Management Interface of the Appliance under https://vCenterFQDN:5480/ to set the server to allow regeneration of the certificates.

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware vCenter Server Appliance 5.5.x
VMware vCenter Server Appliance 5.1.x

Resolution

To resolve this issue, manually regenerate the certificates in the vCenter Virtual Appliance. Recreating certificates through the command line clear error messages if the system is unable to recreate the certificate.
 
To regenerate certificates:
 
Note: Take a snapshot of the virtual machine before proceeding.
  1. Ensure the customers FQDN, DSN, IP, and all network configuration are correct. Run this VAMI script:

    /opt/vmware/share/vami/vami_config_net

    Note: This brings up a command line utility to check network configuration.
     
  2. Create a file called allow_regeneration by running this command:

    touch /etc/vmware-vpx/ssl/allow_regeneration
     
  3. Stop the VPXD service by running this command:

    service vmware-vpxd stop
     
  4. Stop the vCenter Single Sign-On service by running the commands:
     
    • For vCenter Server 5.5: service vmware-sts-idmd stop
    • For vCenter Server 5.1: service vmware-sso stop
       
  5. Regenerate the SSL certificate by running the command:

    source vpxd_commonutils; generate_all_certificates replace
     
  6. Remove the regeneration flag by removing the allow_regeneration file:

    rm /etc/vmware-vpx/ssl/allow_regeneration
     
  7. Reboot vCenter Appliance.


Additional Information

Impact/Risks:
To lower risk, take a snapshot of the virtual machine before proceeding.

Powered by Wolken Software