This article is to inform the audience that this is a known issue with a fix available within vCenter Server 7.0 Update 1c.
Symptoms:
When attempting to replace the Machine SSL certificate for vCenter with a custom CA-signed certificate, vCenter Server service fails to start.
- In /var/log/vmware/rhttpproxy/rhttpproxy.log, you see a log message similar to:
2020-09-25T21:15:28.865Z warning rhttpproxy[07720] [Originator@6876 sub=RhttpProxy] [Rhttpproxy clusters REST PUT Handler] Saving proxy configuration failed! Error code = 13, Message = Error adding/updating listener edge_https_v6: Failed to load certificate chain from <inline>
- Loading the certificate with OpenSSL returns the following error:
Command: openssl x509 -text -noout -in <certificate>.crt
Output: unable to load certificate
- This is observed in vCenter Server and VXRail solutions before vCenter Server 7.0 Update 1c.
- This is not observed on environments with a VM Certificate Authority (VMCA) signed certificate.
- Envoy logging may show the following message:
/var/log/vmware/envoy/envoy.log
2020-09-25T21:15:55.580Z warning envoy[63897] [Originator@6876 sub=upstream] source/common/config/grpc_mux_impl.cc:226] gRPC config for type.googleapis.com/envoy.api.v2.Listener update rejected: Error adding/updating listener edge_https_v6: Failed to load certificate chain from <inline>