Importing a newly created STS cert chain fails with an error: A vCenter Single Sign-On error occurred
Article ID: 322814
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- After creating a new sts signing certificate chain as per Generate a New STS Signing Certificate on the Appliance, importing the certificate chain using the Web Client fails
- You see the following error on the Web Client: "A vCenter Single Sign-On error occurred"
- The sts certificate is in the correct pk12 format
Environment
VMware vCenter Server Appliance 6.5.x
Cause
In an upgraded vCenter Server, the old sts cert is retained in the STS_INTERNAL_SSL_CERT store. The documentation Generate a New STS Signing Certificate on the Appliance expects that the MACHINE_SSL_CERT will be used when creating the sts cert but instead the creation process references the MACHINE_CERT in the STS_INTERNAL_SSL_CERT store.
Resolution
To solve the issue follow the steps given below:
4. Create the new sts cert. The document Generate a New STS Signing Certificate on the Appliance assumes that the cert at /etc/vmware-sso/keys/ssoserverRoot.crt is the same as the rootca. But when you are on an upgraded as opposed to a newly deployed vCenter Server Appliance, they can be different. So, when going through Generate a New STS Signing Certificate on the Appliance again to create the new sts cert, replace /etc/vmware-sso/keys/ssoserverRoot.crt with <path>/cacert.crt wherever you see it in the opnssl commands
5. Now when importing the root-trust.jks as per Refresh the Security Token Service Certificate it should succeed.
6. Restart all vCenter and PSC services
7. Delete the old sts signing certs from the web client
- Obtain the current rootCA cert: /usr/lib/vmware-vmca/bin/certool --getrootca --cert=/tmp/cacert.crt
- Save this as cacert.crt on the appliance at your desired location; /tmp/ is provided in the above command as an example.
- Replace the sts_internal_ssl_cert with the machine cert from the MACHINE_SSL_CERT store. Implement the commands below as you see them one by one:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > ~/machine.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT > ~/machine.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > ~/sts_internal_backup.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > ~/sts_internal_backup.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert ~/machine.crt --key ~/machine.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT > ~/machine.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > ~/sts_internal_backup.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > ~/sts_internal_backup.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert ~/machine.crt --key ~/machine.key
4. Create the new sts cert. The document Generate a New STS Signing Certificate on the Appliance assumes that the cert at /etc/vmware-sso/keys/ssoserverRoot.crt is the same as the rootca. But when you are on an upgraded as opposed to a newly deployed vCenter Server Appliance, they can be different. So, when going through Generate a New STS Signing Certificate on the Appliance again to create the new sts cert, replace /etc/vmware-sso/keys/ssoserverRoot.crt with <path>/cacert.crt wherever you see it in the opnssl commands
5. Now when importing the root-trust.jks as per Refresh the Security Token Service Certificate it should succeed.
6. Restart all vCenter and PSC services
7. Delete the old sts signing certs from the web client
Additional Information
Impact/Risks:
Ensure you Snapshot the vCenter Server Appliance. If you have external replicating PSCs, shut them all down and snapshot all nodes including vCenter node.
Ensure you Snapshot the vCenter Server Appliance. If you have external replicating PSCs, shut them all down and snapshot all nodes including vCenter node.
Feedback
Yes
No
Powered by
