VAMI does not display the new certificate after changing vCenter Server Appliance 6.x certificates
search cancel

VAMI does not display the new certificate after changing vCenter Server Appliance 6.x certificates

book

Article ID: 320801

calendar_today

Updated On:

Products

VMware VMware vCenter Server

Issue/Introduction

This article will help to update the VAMI Certificate with the Machine SSL Certificate and configure VAMI to present the Certificate Chain instead of only leaf certificate

Symptoms:
After changing the vCenter Server Appliance 6.x certificates, the VMware Appliance Management Interface (VAMI) accessed through Port 5480 (https://vcenter_fqdn:5480), does not display the new certificate.

Environment

VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x
VMware Tools 11.x

Resolution

This issue is resolved in vCenter Server 7.0.

This is a known issue affecting vCenter Server Appliance 6.x.
 
 


Workaround:
To workaround this issue:
 
vCenter Server Appliance 6.5 & 6.7:
  1. Log in to the vCenter Server Appliance through SSH.
  2. Type shell and press Enter
  3. Restart the VAMI Service to automatically update the certificate with Machine SSL Certificate
/sbin/service vami-lighttp restart

Follow below steps if VAMI is not presenting the Certificate Chain:
  1. Log in to the vCenter Server Appliance through SSH
  2. Type shell and press Enter
  3. Copy CA certificate chain to appliance folder as ca.crt. If Machine SSL is issued by Custom Certificate Authority, cachain.cer should be a chain of all intermediate CA and Root CA certificates. Refer KB Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate for more information

    vcsa-a:/ssl/machineSSL# cp cachain.cer /etc/applmgmt/appliance/ca.crt
Note: Copy the VMCA certificate chain using below command if the certificate is issued by VMCA
cp /var/lib/vmware/vmca/root.cer /etc/applmgmt/appliance/ca.crt
OR
cp /etc/vmware/vmware-vmafd/ca.crt /etc/applmgmt/appliance/ca.crt
  1. Open the /opt/vmware/etc/lighttpd/lighttpd.conf file using a text editor:
     
  2. Add the entry at the end of file or after line "ssl.engine= "enable"":

    ssl.ca-file="/etc/applmgmt/appliance/ca.crt"
Note: If you are using VAMI Backup / Restore functionality, restore operation will fail due to the extra entry mentioned in above Step added in the configuration file. As by default VAMI backup will not take backup of file /etc/applmgmt/appliance/ca.crt and due to that restore operation will fail when try to load the configuration parameter ssl.ca-file. To avoid this failure follow below additional step :
  • Open the file "/etc/vmware/backup/manifests/applmgmt.json" using text editor
vi /etc/vmware/backup/manifests/applmgmt.json
  • Add the entry  "/etc/applmgmt/appliance/ca.crt" in locations list , save and exit the text editor (In VI - Esc key + wq!)
Example (modification highlighted in Blue colour, please ensure to include the comma delimiter at the end of line above the one added to ensure the file is in a valid json format):

{
  "component": "Appliance Management",
  "parts": [
     {
        "locations": [
          "/etc/applmgmt/appliance/appliance.conf",
          "/etc/applmgmt/appliance/authorization.conf",
          "/etc/applmgmt/firstboot/applmgmt.properties",
          "/etc/vmware/appliance/dcui.cfg",
          "/etc/applmgmt/appliance/update.conf",
          "/etc/applmgmt/appliance/ca.crt"
        ]
     }
  ],
  "deploymentType": ["all"]
}
  1. Restart the VAMI service:

    /sbin/service vami-lighttp restart
 
vCenter Server Appliance 6.0:
  1. Log in to the vCenter Server Appliance through SSH.
  2. Run this command to enable access to the Bash shell:

    shell.set --enabled true
     
  3. Type shell and press Enter.
  4. Run this script to update the VAMI certificate with Machine SSL Certificate

    /usr/lib/applmgmt/support/scripts/postinstallscripts/lighttpd-vecs-integration.sh

    You see output similar to:

    Wed Nov 4 10:10:16 UTC 2015: Updating Appliance UI SSL certificate.
    Wed Nov 4 10:10:16 UTC 2015: Appliance UI updated to use VECS MACHINE_SSL_CERT
    Wed Nov 4 10:10:16 UTC 2015: Reloading Appliance UI.
    Shutting down vami-lighttpd:done.
    Starting vami-lighttpd:2015-11-04 10:10:21:
    (/build/mts/release/bora-2250291/vadk/src/vami/apps/lighttpd/1.4.29/src/network.c.239)
    warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes done.
  5. Restart the VAMI service:
/sbin/service vami-lighttp restart
 

Follow below steps if VAMI is not presenting the Certificate Chain:
  1. Fog in to the vCenter Server Appliance through SSH
  2. Run the command "shell.set --enabled true" to enable access to the Bash shell
  3. Type shell and press Enter.
  4. Copy CA certificate chain to appliance folder as ca.crt. If Machine SSL is issued by Custom Certificate Authority, cachain.cer should be a chain of all intermediate CA and Root CA certificates. Refer KB Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate for more information:
     
    vcsa-a:/ssl/machineSSL # cp cachain.cer /etc/applmgmt/appliance/ca.crt

    Note: Copy the VMCA certificate chain using below command if the certificate is issued by VMCA
    cp /var/lib/vmware/vmca/root.cer /etc/applmgmt/appliance/ca.crt
    OR
    cp /etc/vmware/vmware-vmafd/ca.crt /etc/applmgmt/appliance/ca.crt
  5. Open the /opt/vmware/etc/lighttpd/lighttpd.conf file using a text editor:
  6. Add the entry at the end of file:

    ssl.ca-file="/etc/applmgmt/appliance/ca.crt"
  7. Restart the VAMI service:

    /sbin/service vami-lighttp restart


Additional Information

Logging in to the VMware vCenter Server Appliance Web Console on port 5480 fails

Powered by Wolken Software