vSphere Update Manager displays the error "Server certificate assertion not verified and thumbprint not matched" in the vSphere Client (HTML5)
Article ID: 327880
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
- When accessing vSphere Update Manager in the vSphere Client (HTML5), the following error is shown in a red banner at the top of the screen
com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched
- The vsphere_client_virgo.log located in /var/log/vmware/vsphere-ui/logs/ has the following message:
Certificate for <hostname.domain> doesn't match common name of the certificate subject: vpxd-extension
- vSphere Update Manager is still accessible from the vSphere Web Client (Flex)
Cause
This issue is due to the vpxd-extension Solution User certificate not containing a Subject Alternative Name. Currently, using the Certificate Management UI in the vSphere Client (HTML5) to renew the vpxd-extension certificate will cause this problem.
Resolution
This issue is resolved in vCenter Server 6.7.0c, available at VMware Downloads .
For more information on patching a vCenter Server Appliance node, see Patching the vCenter Server Appliance and Platform Services Controller Appliance.
Workaround:
To workaround the issue, update the vpxd-extension solution user certificate with one that contains a Subject Alternative Name matching the FQDN of the vCenter Server.
For more information on patching a vCenter Server Appliance node, see Patching the vCenter Server Appliance and Platform Services Controller Appliance.
Workaround:
To workaround the issue, update the vpxd-extension solution user certificate with one that contains a Subject Alternative Name matching the FQDN of the vCenter Server.
- Open an SSH session to the vCenter Server Appliance and login with root credentials
- Using a text editor, create a new vpxd-extension.cfg file which includes the SAN field. This will be used during the certificate creation process. Use the example below as a reference. The values marked in RED are variables that should be changed.
[ req ]
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:FQDN.domain.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
localityName = Palo Alto
0.organizationName = VMware
organizationalUnitName = GSS
commonName = vpxd-extension
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = DNS:FQDN.domain.com
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = California
localityName = Palo Alto
0.organizationName = VMware
organizationalUnitName = GSS
commonName = vpxd-extension
- Run this command to create a new certificate request, where vpxd-extension.cfg is the file created in step 2.
openssl req -new -nodes -out vpxd-extension.csr -newkey rsa:2048 -keyout vpxd-extension.key -config vpxd-extension.cfg
- Run this command to create the new vpxd-extension certificate.
openssl x509 -req -days 3650 -in vpxd-extension.csr -out vpxd-extension.crt -CA /var/lib/vmware/vmca/root.cer -CAkey /var/lib/vmware/vmca/privatekey.pem -extensions v3_req -CAcreateserial -extfile vpxd-extension.cfg
- Move the newly created vpxd-extension.crt and vpxd-extension.key files to a workstation that can access the vSphere Client (HTML5).
- For help connecting to the vCenter appliance with WinSCP - Error when uploading files to vCenter Server Appliance using WinSCP (2107727)
- Log into the vSphere Client (HTML5) and navigate to the Certificate Management UI.
- From the Home menu, select Administration.
- Under Certificates, click Certificate Management.
- Populate the server name and enter the SSO administrator credentials.
- In the box for vpxd-extension, click Actions and select Replace.
- Select the new vpxd-extension.crt file for the Certificate Chain.
- Select the new vpxd-extension.key file for the Private Key.
- Click Replace.
- Restart update manager service. For more information see VMware Doc.
Alternatively, use the vSphere Web Client (Flex) to manage and administer vSphere Update Manager.
Additional Information
Simply renewing the vpxd-extension certificate will not fix this issue. The new certificate will be generated with the same properties as the original one.
It is also possible to replace the solution user certificates with the certificate-manager CLI utility. It is necessary to ensure the choice to generate all the certificates with a configuarion file is used for this to be effective though. Additionally, this will replace all of the solution user certificates, instead of only the one used for vpxd-extension.
Locations of certificate-manager by guest OS
vCenter Appliance: /usr/lib/vmware-vmca/bin/certificate-manager
Windows: C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat
For more information:
See here if you see entries similar to: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
It is also possible to replace the solution user certificates with the certificate-manager CLI utility. It is necessary to ensure the choice to generate all the certificates with a configuarion file is used for this to be effective though. Additionally, this will replace all of the solution user certificates, instead of only the one used for vpxd-extension.
Locations of certificate-manager by guest OS
vCenter Appliance: /usr/lib/vmware-vmca/bin/certificate-manager
Windows: C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager.bat
For more information:
See here if you see entries similar to: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
Feedback
Yes
No
Powered by
