vCenter Server 7.0 fails to start after replacing VMCA certificates with CA-signed certificates.
Article ID: 318156
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article is to inform the audience that this is a known issue with a fix available within vCenter Server 7.0 Update 1c.
Symptoms:
When attempting to replace the Machine SSL certificate for vCenter with a custom CA-signed certificate, vCenter Server service fails to start.
Symptoms:
When attempting to replace the Machine SSL certificate for vCenter with a custom CA-signed certificate, vCenter Server service fails to start.
- In /var/log/vmware/rhttpproxy/rhttpproxy.log, you see a log message similar to:
2020-09-25T21:15:28.865Z warning rhttpproxy[07720] [Originator@6876 sub=RhttpProxy] [Rhttpproxy clusters REST PUT Handler] Saving proxy configuration failed! Error code = 13, Message = Error adding/updating listener edge_https_v6: Failed to load certificate chain from <inline>
- Loading the certificate with OpenSSL returns the following error:
Command: openssl x509 -text -noout -in <certificate>.crt
Output: unable to load certificate
Output: unable to load certificate
- This is observed in vCenter Server and VXRail solutions before vCenter Server 7.0 Update 1c.
- This is not observed on environments with a VM Certificate Authority (VMCA) signed certificate.
- Envoy logging may show the following message:
/var/log/vmware/envoy/envoy.log
2020-09-25T21:15:55.580Z warning envoy[63897] [Originator@6876 sub=upstream] source/common/config/grpc_mux_impl.cc:226] gRPC config for type.googleapis.com/envoy.api.v2.Listener update rejected: Error adding/updating listener edge_https_v6: Failed to load certificate chain from <inline>
2020-09-25T21:15:55.580Z warning envoy[63897] [Originator@6876 sub=upstream] source/common/config/grpc_mux_impl.cc:226] gRPC config for type.googleapis.com/envoy.api.v2.Listener update rejected: Error adding/updating listener edge_https_v6: Failed to load certificate chain from <inline>
Environment
VMware vCenter Server 7.0.x
Cause
The cause is due to lines being stripped from the new certificate being imported into vCenter by the Envoy ADS service. This is a new service included in vCenter Server 7.0 and does not impact any versions prior to 7.0.
Resolution
This is a known issue, and resolved in vCenter Server 7.0 Update 1c/P02 - https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u1c-release-notes.html#server-configuration-issues-resolved
Workaround:
There is currently no universal workaround. VMware recommends updating to the vCenter Server release containing the fix.
Workaround:
There is currently no universal workaround. VMware recommends updating to the vCenter Server release containing the fix.
Additional Information
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u1c-release-notes.html#server-configuration-issues-resolved
Impact/Risks:
This is affecting any release of vCenter Server 7.0 prior to 7.0 Update 1c
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u1c-release-notes.html#server-configuration-issues-resolved
Impact/Risks:
This is affecting any release of vCenter Server 7.0 prior to 7.0 Update 1c
https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-70u1c-release-notes.html#server-configuration-issues-resolved
Feedback
Yes
No
Powered by
