Search the VMware Knowledge Base (KB)
View by Article ID

“Failed to verify the SSL certificate" after upgrading to vCenter Server 5.5 U1 or later (2074942)

  • 18 Ratings
Language Editions

Symptoms

  • During the upgrade of vCenter Server 5.5 Update 1, you see this message:

    The vCenter certificates are weak and no longer supported with vCenter Server 5.5 Update 1 onward.

  • The stats.log file, contains entries similar to:

    tomcat-http--17  WARN  org.apache.struts.util.PropertyMessageResources]   Resource com/vmware/vim/stats/webui/ApplicationResources_en_US.properties Not Found.
    tomcat-http--33  INFO  com.vmware.vim.stats.webui.filter.ClientTimezoneFilter] Forward to 'timezone.jsp' to get user time zone via JavaScript.
    tomcat-http--34  ERROR com.vmware.vim.stats.webui.filter.ViClientRequestActionSecurity] An error has occurred during security checks. Details: 
    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
    com.vmware.vim.stats.webui.SessionException: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints

    at com.vmware.vim.stats.webui.form.SessionContextImpl.<init>(Unknown Source)
    at com.vmware.vim.stats.webui.startup.StatsReportInitializer.createSessionContext(Unknown Source)


    The default location of the stats.log file is:

    • Windows 2000 and 2003: C:\%ALLUSERSPROFILE%\Application Data\VMware\VMware VirtualCenter\Logs\
    • Windows 2008 and 2012: C:\%ALLUSERSPROFILE%\VMware\VMware VirtualCenter\Logs\

Note: For additional symptoms and log entries, see the Additional Information section.

Purpose

If you cannot log in to the vCenter Server after upgrading from 4.x or 5.x to 5.5 Update 1, regenerate the vCenter Server certificate using a stronger public key strength.

Cause

If you experience all of the symptoms listed, this issue occurs because the vCenter Server SSL certificate has a low bit strength of less than 1024 bits. vCenter Server 5.5 Update 1 updates the Java Runtime Environment (JRE) to version 7.0.450.18 which no longer supports a key length of less than 1024 bits.

Note: vCenter Server 5.x does not support SSL certificates with a key length of less than 1024 bits.

Resolution

To resolve this issue, regenerate the vCenter Server certificate using a stronger public key strength.

Caution: These caveats apply to replacing a vCenter Server certificate:
  • Replacing the vCenter Server certificate may result in ESXi hosts being disconnected from vCenter Server. A manual reconnection of the ESXi hosts may be required.
  • Plug-in components such as Update Manager, Site Recovery Manager, vCloud Director, Horizon View, and so on may need to be re-registered with vCenter Server.
To replace the vCenter Server SSL certificate:
  1. Copy this text and save it as openssl_config.cfg:

    [ req ]
    default_bits = 2048
    default_keyfile = rui.key
    distinguished_name = req_distinguished_name
    encrypt_key = no
    prompt = no
    string_mask = nombstr
    req_extensions = v3_req


    [ v3_req ]
    basicConstraints = CA:FALSE
    keyUsage = digitalSignature, keyEncipherment, dataEncipherment
    extendedKeyUsage = serverAuth, clientAuth
    subjectAltName = DNS: vc55-1, IP:10.0.0.10, DNS:vc51-1.vmware.com

    [ req_distinguished_name ]
    countryName = US
    stateOrProvinceName = NY
    localityName = New York
    0.organizationName = VMWare
    organizationalUnitName = vCenterUniqueServer
    commonName =
    vc55-1.vmware.com

    Note: Edit the portions highlighted in red to match your environment.

  2. Save the openssl_config.cfg file to C:\Program Files\VMware\Infrastructure\Inventory Service\bin.

  3. Open a Windows command prompt as Administrator and change the directory to:

    C:\Program Files\VMware\Infrastructure\Inventory Service\bin

  4. Regenerate a self-signed certificate and key file using this command:

    openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout rui.key -out rui.crt -config openssl_config.cfg -extensions v3_req

  5. Create the vCenter Server PFX file using this command:

    openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

    Note
    : Do not replace rui or testpassword with any other values.

  6. When the rui.crt, rui.key and rui.pfx files regenerate, replace the vCenter Server SSL certificate with the steps in Configuring CA signed certificates for vCenter Server 5.5 (2061973).

Additional Information

You experience these additional symptoms:
 
  • After upgrading to vCenter Server 5.5 Update 1 from an earlier version with older certificates, logging in  to the vSphere Web Client reports the error:

    Failed to verify the SSL certificate for one or more vCenter Server systems:https://vc55.domain.com:443/sdk

  • The Performance Charts tab fails and reports the error:

    Perf Charts service experienced an internal error

  • The Host Hardware Status tab for the ESXi fails and reports the error:

    Cannot access the hardware monitoring service

  • The Storage Views tab fails and reports the error:

    The server 'vcenter_domain_name' could not interpret the client's request. (The remote server returned an error: (503) Server Unavailable.)

  • The Inventory Service C:\ProgramData\VMware\Infrastructure\Inventory Service\Logs\ ds.log file, contains entries similar to:

    <TIME>,755 pool-19-thread-2 ERROR com.vmware.vim.dataservices.provider.VcProvider] Cannot login: com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    <TIME>,755 pool-19-thread-2 INFO com.vmware.vim.query.server.provider.impl.ProviderManagerServiceImpl] Cannot connect to provider: com.vmware.vim.query.server.store.exception.UnauthorizedException: not connected
    <TIME>,507 pool-19-thread-2 ERROR com.vmware.vim.dataservices.provider.VcProvider] Cannot login: com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    <TIME>,507 pool-19-thread-2 INFO com.vmware.vim.query.server.provider.impl.ProviderManagerServiceImpl] Cannot connect to provider: com.vmware.vim.query.server.store.exception.UnauthorizedException: not connected
    <TIME>,269 pool-19-thread-2 ERROR com.vmware.vim.dataservices.provider.VcProvider] Cannot login: com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified

    <TIME>,269 pool-19-thread-2 INFO com.vmware.vim.query.server.provider.impl.ProviderManagerServiceImpl] Cannot connect to provider: com.vmware.vim.query.server.store.exception.UnauthorizedException: not connected

  • The vSphere Web Client log C:\ProgramData\VMware\vSphere Web Client\serviceability\logs vsphere_client_virgo.log file contains entries similar to:

    <TIME>.262] [INFO ] http-bio-9443-exec-7 70000055 100001 200001 com.vmware.vise.vim.commons.vcservice.impl.VcServiceImpl Initializing vmomi for vc - https://vc55.domain.com:443/sdk at VMODL version com.vmware.vim.binding.vim.version.internal.version9
    <TIME>.286] [ERROR] http-bio-9443-exec-7 70000055 100001 200001 com.vmware.vsphere.client.security.VimAuthenticationHandler Connection failure to vc https://vc55.domain.com:443/sdk com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified

  • The vCenter Management Web Services log C:\ProgramData\VMware\VMware VirtualCenter\Logs\ vws.log file, contains entries similar to:

    <TIME>,927 localhost-startStop-1 INFO com.vmware.vim.vimclient.VimClientFactory] VMODL context has been initialized for CMS
    <TIME>,191 localhost-startStop-1 ERROR com.vmware.vim.vimclient.VimClientFactory] Failed VC client creation with exception
    com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    . . .
    Caused by: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    . . .
    Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
    . . .
    <TIME>,194 localhost-startStop-1 ERROR com.vmware.vim.cimmonitor.qs.provider.impl.QsHelperImpl] Vim configuration exception occured while registering provder

    com.vmware.vim.vimclient.exception.VimConfigException: Failed VC client creation with exception

  • The vCenter Server C:\ProgramData\VMware\VMware VirtualCenter\Logs\ vpxd.log file, contains entries similar to:

    T <TIME>.084Z [04712 warning 'ProxySvc'] SSL Handshake failed for stream <io_obj p:0x00000000095fdd88, h:2540, <TCP '192.168.2.55:443'>, <TCP '192.168.2.55:57823'>>, error: class Vmacore::Ssl::SSLException(SSL Exception: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown)
    T <TIME>.836Z [04712 warning 'ProxySvc'] SSL Handshake failed for stream <io_obj p:0x0000000009609338, h:2624, <TCP '192.168.2.55:443'>, <TCP '192.168.2.55:57824'>>, error: class Vmacore::Ssl::SSLException(SSL Exception: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown)
    T <TIME>.587Z [02620 warning 'ProxySvc'] SSL Handshake failed for stream <io_obj p:0x0000000009608ef8, h:2540, <TCP '192.168.2.55:443'>, <TCP '192.168.2.55:57825'>>, error: class Vmacore::Ssl::SSLException(SSL Exception: error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown)

    Note
    : The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

To verify the key length of the vCenter Server certificate:

  1. Open the rui.crt file located at C:\ProgramData\VMware\VMware VirtualCenter\SSL
  2. Click the Details tab and scroll to the Public Key field.
  3. Verify if the Value is less than 1024 Bits.

Tags

SSL Handshake failed for stream

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 18 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 18 Ratings
Actions
KB: