"Server certificate chain is not trusted and thumbprint verification is not configured" upgrading external SSO Server to vSphere 6.5 PSC
search cancel

"Server certificate chain is not trusted and thumbprint verification is not configured" upgrading external SSO Server to vSphere 6.5 PSC

book

Article ID: 315241

calendar_today

Updated On:

Products

VMware

Issue/Introduction

Symptoms:
  • When upgrading an external Single Sign-On Server to a vSphere 6.5 Platform Services Controller, appliance does not migrate the intermediate SSL certificate.
  • Stage 2 of the upgrade fails with this error:

    The SSL certificate does not match when connecting to the vCenter Single Sign-On.
    com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumnprint verification is not configured
     
  • In the VMware-VCS-logs-Date/vcsUpgrade/cmfirstboot.py_####_stdout.log file, you see entries similar to:

    2016-11-28T18:17:11.798Z [main DEBUG com.vmware.vim.vmomi.client.common.impl.LoggingFilterOutputStream] Logging request to '/var/log/vmware/cm/firstboot/cmcli-vlsi-exchange.log-0000.log'
    2016-11-28T18:17:12.068Z [main DEBUG com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager] Server certificate chain is not trusted
    sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    ...
    Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    ...
    2016-11-28T18:17:12.075Z [main DEBUG com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager] Server certificate chain not verified for Certificate: [
    ...
    2016-11-28T18:17:12.085Z [main WARN com.vmware.cis.services.cm.service.util.LsUtils] Call to lookup service failed; uri:https://<FQDN>/lookupservice/sdk [com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint verification is not configured]

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Cause

This issue occurs when you upgrade by exporting only the root CA cert into the cert chain file instead of appending both intermediate and root CA certs to this file.

Resolution

This issue is resolved in VMware vCenter Server Appliance 6.5 b, available at VMware Downloads.

Additional Information



Powered by Wolken Software