Search the VMware Knowledge Base (KB)
View by Article ID

vCenter Server or Platform Services Controller certificate validation error for external VMware Solutions in vSphere 6.0 (2109074)

  • 36 Ratings

Details

Some solutions, such as VMware vCenter Site Recovery Manager, VMware vSphere Replication, or VMware vCenter Support Assistant might be installed on a different machine than the vCenter Server system or Platform Services Controller.

If you replace the Machine SSL certificate on the vCenter Server or the Platform Services Controller, a connection error results if the solution attempts to connect to the vCenter Server or Platform Services Controller. The reason is that the vCenter Server system and the Platform Services Controller use the new certificate, but the corresponding service registrations with the VMware Lookup Service are not updated. When solutions connect to vCenter Server or Platform Services Controller, they look at the service registration, which includes the service URL and the sslTrust string. By default, the sslTrust string is the Base 64 encoded old certificate even if you replaced the certificate successfully.

The following errors are observed when you attempt to connect to the vCenter Server or the Platform Services Controller:
  • vSphere Replication

    Unable to obtain SSL certificate: The vCenter Server vCenter_FQDN is not correctly registered in LookupService

  • vRealize Orchestrator

    vSphere Authentication configuration fails with error Failed with error : Error ! An error occurred while retrieving the Single Sign-On token from; https://vCenter/lookupservice/sdk

    In the controlcenter.log, you see entries similar to:


    2017-06-20 10:29:53.766+0000 [https-jsse-nio-8283-exec-2] WARN [SiteAffinityServerEndpointProvider] CDC not configured java.lang.NoClassDefFoundError: com/vmware/identity/cdc/CdcFactory
    2017-06-20 10:29:53.776+0000 [https-jsse-nio-8283-exec-2] ERROR [ConfigureAuthProvider] [xxxxxxxx-23b0-4cb9-9583-xxxxxxxxxxxx] Register authentication error: authentication: Authentication: state = CONNECTED, url =
    https://xx.xx.xx.xx/lookupservice/sdk , certificateAlias = vco.vsphere.lookup-service.ssl.certificate, username = administrator@vsphere.local , password = ******, importCertificates = false, configureLicences = true, certificate = [TrustedEntity [id=vco.vsphere.lookup-service.ssl.certificate, [XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX XX], TrustedEntity [id=imported:3351b814-6d13-44a5-8
    e84-4b99d38ad917, [YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY YY], TrustedEntity [id=imported:7251f30f-e3e3-46c5-bafa-4a836890c6f0, [ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ]
    ]], service provider host =
    https://XX.XX.XXX.XXX:8283 Sso Authentication: ssoUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@258c72f6 , stsUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@258c72f6 , adminUrlEndpoint = com.vmware.vcac.componentregistry.rest.stubs.EndPoint@2df8d253 , ssoSslAlias = vco.sso.ssl.certificate, authenticationTokenType = saml, clientId = null, clientSecret = , adminGroup = null, adminGroupDomain = null, defaultTenant = vsphere.local, ssoClockTolerance = 300, tokenLifetimeInSeconds = 7776000, ssoTokenRenewCount = 5
    com.vmware.vim.sso.admin.exception.CertificateValidationException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint doesn't match
    at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.execute(VmomiClientCommand.java:112)
    at com.vmware.vim.sso.admin.client.vmomi.impl.VmomiClientCommand.executeEnsuringNoDomainError(VmomiClientCommand.java:217)
    at com.vmware.vim.sso.admin.client.vmomi.impl.AdminClientImpl.createServiceContent(AdminClientImpl.java:334)


  • vCenter Site Recovery Manager

    SRM server with GUID GUID of vCenter not paired.
    Failed to connect to vCenter Server at vCenter_FQDN:443/sdk. Reason:
    com.vmware.vim.vmomi.core.exception CertificateValidationException: Server certificate chain not verified.


  • VMware NSX for vSphere (NSX-v)

    NSX Management Service operation failed.(Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service, com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified)

  • VMware Integrated OpenStack

    Connection failed!
    Please check whether the server has enabled SSO from management server log at:/installer.log.


    In the VMware Integrated OpenStack installer.log file, you see entries similar to:

    [2015-04-10 14:49:18,848 main ERROR com.vmware.vim.install.impl.AdminServiceAccess] com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    [2015-04-10 14:49:18,849 main DEBUG com.vmware.vim.install.impl.AdminServiceAccess]
    com.vmware.vim.sso.admin.exception.CertificateValidationException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified

  • VMware vCenter Support Assistant

    Something failed. Try Again.
    com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
    Server certificate chain not verified
    peer not authenticated


  • VMware Customer Experience Improvement Program

    The vSphere Web Client reports:

    Error occurred while processing request. Check vSphere WebClient logs for details.

    The vsphere_client_virgo.log reports an error similar to:

    [2015-10-07T13:08:41.001Z] [ERROR] http-bio-9090-exec-3 70000101 100009 200004 com.vmware.vsphere.client.ceip.impl.CeipServiceImpl Error occurred in showNotification. com.vmware.vim.binding.vmodl.fault.SystemError: Internal server error.

    For more information on log locations, see Location of VMware vCenter Server 6.0 log files (2110014).

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment..
The problem occurs in any of these situations:
  • You replace the machine SSL certificate on an embedded deployment.
  • You replace the machine SSL certificate on the Platform Services Controller in an installation with an external Platform Services Controller.
  • You replace the machine SSL certificate on a vCenter Server system in an installation with an external Platform Services Controller.

Solution



Notes: 
  • Installing vCenter Server 6.0 update 1b on a system that is affected does not resolve the issue until you replace the certificates again. 
  • The update resolves the issue for certificate replacement with the Certificate Manager utility. The update does not resolve the issue for certificate replacement from the Services Controller UI.

You can resolve this issue when using the Platform Services Controller UI to replace the certificates, by running the ls_update_certs script on the Platform Services Controller. With external solutions, certificate replacement proceeds as follows:
  • Extract the old certificate from your vCenter Server system or Platform Services Controller for later use.
  • Perform the certificate replacement, either by using the Certificate Manager utility or by running certificate management CLI commands.
  • Run the ls_update_certs script, passing in the old certificate and new certificate.
For translated versions of this article, see: 

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 36 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 36 Ratings
Actions
KB: