"Failed with error : Error ! An error occurred while retrieving the Single Sign-On token from; https://vCenter/lookupservice/sdk" error during vSphere Authentication configuration
Article ID: 312265
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
- Configuring the vCenter Server authentication source in vRealize Orchestrator fails.
- You see this error:
Failed with Error ! An error occurred while retrieving the Single Sign-On token from; https://vcenter/lookupservice/sdk
- In the controlcenter logs, you see entries similar to:
2017-06-20 10:29:53.776+0000 [https-jsse-nio-8283-exec-2] ERROR [ConfigureAuthProvider] [<UUID_1>] Register authentication error: authentication: Authentication: state = CONNECTED, url = https://xx.xx.xx.xx/lookupservice/sdk , certificateAlias = vco.vsphere.lookup-service.ssl.certificate, username = [email protected] , password = ******, importCertificates = false, configureLicences = true, certificate = [TrustedEntity [id=vco.vsphere.lookup-service.ssl.certificate, [FD 3D E5 51 D4 E3 91 1D FC 68 10 3F FF CD 29 19 C2 97 5B 81], TrustedEntity [id=imported:3351b814-6d13-44a5-8
e84-4b99d38ad917, [E3 91 1D FC 68 CD A0 A4 C8 D3 CD 29 19 C2 97 FD 3D E5 51 D4], TrustedEntity [id=imported:7251f30f-e3e3-46c5-bafa-4a836890c6f0, [FC 68 CD A0 7E3 91 1D FC CD 29 19 C2 97 B7 85 E9 21 F0 67 F0 15 C7 94], service provider host = https://XX.XX.XXX.XXX:8283 Sso Authentication: ssoUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@258c72f6 , stsUrlEndpoint = com.vmware.vcac.componentregistry.
rest.stubs.EndPoint@258c72f6 , adminUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@2df8d253 , ssoSslAlias = vco.sso.ssl.certificate, authenticationTokenType = saml, clientId = null, clientSecret = , adminGroup = null, adminGroupDomain = null, defaultTenant = vsphere.local, ssoClockTolerance = 300, tokenLifetimeInSeconds = 7776000, ssoTokenRenewCount = 5 com.vmware.vim.sso.admin.exception.CertificateValidationException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint doesn't match
at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.execute(VmomiClientCommand.java:112)
at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringNoDomainError(VmomiClientCommand.java:217)
at com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl.createServiceContent(AdminClientImpl.java:334)
at com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl.<init>(AdminClientImpl.java:107)
at com.vmware.vim.sso.admin.client.vmomi.VmomiClientFactory.createAdminClient(VmomiClientFactory.java:64)
at com.vmware.vim.sso.admin.client.vmomi.VmomiClientFactory.createAdminClient(VmomiClientFactory.java:54)
at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.getTrustedCerts(SsoAdminClientFactoryImpl.java:298)
at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.aquireToken(SsoAdminClientFactoryImpl.java:275)
at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.createSSOAdminClient(SsoAdminClientFactoryImpl.java:259)
at com.vmware.o11n.security.sso.admin.SsoAdminClientFactoryImpl.registerWithSSO(SsoAdminClientFactoryImpl.java:86)
at com.vmware.o11n.configuration.authentication.services.SamlAuthenticationServiceAdapter.register(SamlAuthenticationServiceAdapter.java:89)
at com.vmware.o11n.configuration.authentication.services.SsoAuthenticationService.register(SsoAuthenticationService.java:202)
at com.vmware.o11n.configuration.authentication.ConfigureAuthProvider.register(ConfigureAuthProvider.java:597)
at com.vmware.o11n.configuration.authentication.ConfigureAuthProvider.update(ConfigureAuthProvider.java:236)
at com.vmware.o11n.controlcenter.authentication.AuthenticationController.updateWizzard(AuthenticationController.java:169)
at com.vmware.o11n.controlcenter.authentication.AuthenticationController$$FastClassBySpringCGLIB$$337aef2c.invoke(<generated>)
Caused by: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.handleHandshakeException(ThumbprintTrustManager.java:511)
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:361)
at com.vmware.vim.vmomi.client.http.impl.VlsiSslSocketFactory.verifyHostname(VlsiSslSocketFactory.java:129)
Caused by: javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match
Environment
VMware vRealize Orchestrator Plugin for NSX 1.0.x
VMware vRealize Orchestrator Plugin for NSX 1.1.x
VMware vRealize Orchestrator 7.5.x
VMware vRealize Orchestrator Plugin for vSphere Replication 6.x
VMware vRealize Orchestrator 7.4.x
VMware vRealize Orchestrator 7.2.x
VMware vRealize Automation 7.4.x
VMware vRealize Orchestrator 7.0.x
VMware vRealize Orchestrator 7.3.x
VMware vRealize Orchestrator 6.0.x
VMware vRealize Orchestrator 7.1.x
VMware vRealize Orchestrator Plugin for NSX 1.1.x
VMware vRealize Orchestrator 7.5.x
VMware vRealize Orchestrator Plugin for vSphere Replication 6.x
VMware vRealize Orchestrator 7.4.x
VMware vRealize Orchestrator 7.2.x
VMware vRealize Automation 7.4.x
VMware vRealize Orchestrator 7.0.x
VMware vRealize Orchestrator 7.3.x
VMware vRealize Orchestrator 6.0.x
VMware vRealize Orchestrator 7.1.x
Cause
The problem occurs in any of these situations:
- When replacing the machine SSL certificate on an embedded deployment.
- When replacing the machine SSL certificate on the Platform Services Controller in an installation with an external Platform Services Controller.
- When replacing the machine SSL certificate on a vCenter Server system in an installation with an external Platform Services Controller.
- This issue is caused when SSO uses one certificate while in lookupservice to be registered another.
Resolution
This issue can be resolved when using the Platform Services Controller UI to replace the certificates by running the ls_update_certs script on the Platform Services Controller. With external solutions, certificate replacement proceeds as follows:
- Extract the old certificate from your vCenter Server system or Platform Services Controller for later use.
- Perform the certificate replacement, either by using the Certificate Manager utility or by running certificate management CLI commands.
- Run the ls_update_certs script, passing in the old certificate and new certificate.
For more information on the procedure, see:
- vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller (2121689)
- vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller (2121701)
Feedback
Yes
No
Powered by
