VIC Plugin in HTML5 Client Fails Thumbprint Validation
search cancel

VIC Plugin in HTML5 Client Fails Thumbprint Validation

book

Article ID: 315128

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • The VIC plugin frame loads but none of the objects load within the plugin.
  • The actions show disabled.
  • In the logs on the vCenter vSphere-ui/logs/vsphere_client_virgo.log show similar to the following:

  [2018-01-11T14:34:17.915-06:00] [ERROR] data-service-pool-665  70000430 100010 200002 com.vmware.utils.ssl.ThumbprintTrustManager   Server certificate chain is not trusted and thumbprint doesn't match
  [2018-01-11T14:34:17.931-06:00] [ERROR] http-bio-5090-exec-6  70000430 100010 200002 com.vmware.vise.mvc.servlets.GlobalExceptionResolver   Exception handled:  com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Server certificate chain is not trusted and thumbprint doesn't match

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment. 

Environment

VMware vSphere Integrated Containers 1.x

Cause

  • Certificate change on the vCenter that did not update in the platform service controller managed object browser. See KB for details.
           Refer to below mentioned Knowledge Base article for more details.
           vCenter Server or Platform Services Controller certificate validation error for external VMware Solutions in vSphere 6.0 (2109074)
           https://kb.vmware.com/s/article/2109074

Resolution


 1.    Follow the KB that matches the PSC deployment type:

             vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with an External Platform Services Controller (2121701)
             https://kb.vmware.com/s/article/2121701

             vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller (2121689)
             https://kb.vmware.com/s/article/2121689

 2.  After the lookupservice trust anchors have been validated and corrected as needed validate the VECS store has the leaf certificate for the MACHINE_SSL_CERT store __MACHINE_SSL alias. This would become a chain certificate from some upgrade paths.

 Validation:

  1. Check the MACHINE_SSL_CERT store. This should be a single leaf certificate. If the store contains the chain certificate then this will need to be corrected.
          /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT


Backup the Certificate and Key:

  1. Export the certificate.
          /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output ~/entry__MACHINE_CERT-getcert.txt
       
       2.  Export the private key. 

       /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output ~/entry__MACHINE_CERT-getkey.txt

 

Copy certificate leaf:

  1. The certificate leaf is the top most certificate of the chain file. Use preferred text editor to the first certificate denoted by and including -----BEGIN CERTIFICATE----- -----END CERTIFICATE-----. Save this to the file leaf_MACHINE_CERT.pem.
  2. Validate the certificate is correct. 
           openssl x509 -in ~/leaf_MACHINE_CERT.pem -noout -text

        3. Validate public keys match. 
         openssl pkey -in ~/entry__MACHINE_CERT-getkey.txt -pubout -outform pem | sha256sum  
   
     openssl x509 -in ~/leaf_MACHINE_CERT.pem -pubkey -noout -outform pem | sha256sum
         
 If validation is correct proceed, else troubleshoot any errors and mismatches regenerating certificates as needed.

Recreate the entry in the VECS store:

  1.  Stop all services and start only the vmaffdd, vmdird, vmcad services.
            service-control --stop --all
      service-control --start vmafdd
            service-control --start vmdird
            service-control --start vmcad
 
        2. Delete the existing entry.
            /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT

   3. Create a new entry of the same name pointing to the same key and leaf certificate.
           /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert ~/leaf_MACHINE_CERT.pem --key entry__MACHINE_CERT-getkey.txt

        4. Stop start all services (Alternative reboot VCSA)
              service-control --stop --all
      service-control --start --all



Additional Information

Powered by Wolken Software