Search the VMware Knowledge Base (KB)
View by Article ID

Registering NSX Manager to Lookup Service with External Platform Service Controller (PSC) fails with the error: server certificate chain not verified (2132645)

  • 6 Ratings

Symptoms

  • In VMware NSX for vSphere 6.x, registering NSX Manager to the Lookup Service with External Platform Service Controller (PSC) fails.
  • You see the error:

    NSX Management Service operation failed (Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service.com.vmware.vim.vmoid.core.exception.CertificateValidationException. Server certificate chain not verified).

    For example:

Cause

This issue occurs due to a mismatch between the old certificate fingerprint of the Secure Trust Store (STS) and the new CA root certificate that Platform Services Controller trusts.

Resolution

To resolve this issue, update the new certificate with the old fingerprint of the Security Token Services (STS).

Note: This procedure only works in case of single site PSC with single site SSO domain.

To retrieve the old certificate from the Managed object Browser (MOB)

  1. Obtain the old fingerprint of the STS certificate on the Platform Services Controller (PSC) Windows machine from the Managed Object Browser (MOB).
  2. To open the MOB, go to https://<PSC_IP_or_FQDN>/lookupservice/mob?moid=ServiceRegistration&method=List in a browser.
  3. Log in to the browser using the administrator account of the PSC or administrator@vsphere.local.
  4. In the filterCriteria text field, modify the value field to show only the tags <filterCriteria></filterCriteria> and click Invoke Method. This displays the ArrayOfLookupServiceRegistrationInfo objects.



  5. Search for sts/STS on the page. Find the value of the corresponding sslTrust field. The content of that field is the Base64 encoded string of the old certificate.



  6. Copy and paste the string in the ArrayofString field in the row of the sslTrust name (next to the ArrayOfString type), and save the string as a file named sts.cer.
  7. Import the sts.cer file using a certificate manager tool such as certmgr.msc. Extract the thumbprint, remove all of the spaces, any leading "?" and save as a text file named old.fprint.txt.

    After removal, there will be string such as f4bf76aeefaaf3f09009cda4a2b624202bd49724 which is used later in a command line.

To retrieve the new certificate on a Platform Services Controller

Using External Platform Services Controller (PSC) on Windows:

  1. Remote desktop connection to the Windows External Platform Services Controller.
  2. Log in to an administrative command prompt.
  3. Run this command to view the new certificate:

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry list --store MACHINE_SSL_CERT --text |more

  4. Create a temporary folder on the c:\ drive. For example: c:\certificates.
  5. Run this command to export the new certificate to a file:

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output c:\certificates\new_sts.crt

Using External Platform Services Controller (PSC) appliance:

  1. Log in as root to the External Platform Services Controller (PSC) appliance.
  2. Create a temporary directory in /. For example: / certs.
  3. Run this command to view the new certificate:

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /certs/new_sts.crt

To run the ls_update_cert on an External Platform Services Controller

Using External Platform Services Controller (PSC) on Windows:

  1. Remote desktop connection to the Windows External Platform Services Controller.
  2. Open an administrative command prompt.
  3. Change directories to C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\ by running this command:

    cd C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\

  4. Run this command (replace the username/password with your administrator/password).

    "%VMWARE_PYTHON_BIN%" ls_update_certs.py --url https://psc.domain.com/lookupservice/sdk --fingerprint <Old Certificate Fingerprint content from above> --certfile <New Certificate Path from above> --user Username --password Password

    When completed, you will see Updated 7 service(s)message.
  5. Re-register the NSX Manager with the PSC Lookup services.

Using External Platform Services Controller (PSC) appliance:

  1. Log in as root to the External Platform Services Controller (PSC) appliance.
  2. Change directories to:

      /usr/lib/vmidentity/tools/scripts/
     
  3. Run this command, replacing the username/password with your administrator/password and "Updated 9 service(s)" for appliance platform.

    python /usr/lib/vmidentity/tools/scripts/ls_update_certs.py --url https://psc.domain.com/lookupservice/sdk --fingerprint <Old Certificate Fingerprint content from step 5 > --certfile <New Certificate Path from step 6> --user Username --password Password

  4. When complete, you will see Updated 9 service(s)message.
  5. Re-register the NSX Manager with the PSC lookup services.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 6 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 6 Ratings
Actions
KB: