VMware Cloud Community
MBreidenbach0
Hot Shot
Hot Shot
‎09-29-2017 10:51 AM
Jump to solution

VCSA 6.5U1 appliance management interface uses self signed certificate after certificate replacement

Using a single VCSA 6.5U1 with embedded PSC in my lab environment.

VMCA is configured as subordinate CA of MS Enterprise CA.

Used certificate manager from CLI to replace all certificates some time ago.

Web Client uses new certificates. All browsers are happy.

While checking vor VCSA updates (now running 6.5.0.10100 Build Number 6671409) I noticed that the VCSA appliance management at port 5480 still uses the old 'VMware default certificate'. Which Chrome now really hates; I have to type 'badidea' to go from certificate warning to appliance management login.

So far I didn't find any information how to fix this.

How do I replace the certificate used by appliance management ?

0 Kudos
1 Solution

Accepted Solutions
mhampto
VMware Employee
VMware Employee
‎10-05-2017 10:52 AM
Jump to solution

There are some steps available here: Replace self-signed certificates with intermediate CA certificates

Please make sure to backup beforehand as these have not been tested and are ran at your own risk.

View solution in original post

0 Kudos
3 Replies
mhampto
VMware Employee
VMware Employee
‎10-05-2017 10:52 AM
Jump to solution

There are some steps available here: Replace self-signed certificates with intermediate CA certificates

Please make sure to backup beforehand as these have not been tested and are ran at your own risk.

0 Kudos
MBreidenbach0
Hot Shot
Hot Shot
‎10-06-2017 04:56 AM
Jump to solution

Thank you; I'll try the solution suggested there in my lab.

There doesn't seem to be an official supported way to do this.

0 Kudos
MBreidenbach0
Hot Shot
Hot Shot
‎03-18-2018 07:33 AM
Jump to solution

There's now a KB article VMware Knowledge Base VAMI does not display the new certificate after changing vCenter Server Appliance 6.x certificates (2136693)

Symptoms

After changing the vCenter Server Appliance 6.x certificates, the VMware Appliance Management Interface (VAMI) accessed through https://vcenter_fqdn:5480, does not display the new certificate.

Resolution

This is a known issue affecting vCenter Server Appliance 6.x.

Currently, there is no resolution.

To work around this issue:

vCenter Server Appliance 6.5:

  1. Log in to the vCenter Server Appliance through SSH.
  2. Type shell and press Enter.
  3. Copy CA cert chain to:

    /etc/applmgmt/appliance/ca.crt
     
  4. Open the /opt/vmware/etc/lighttpd/lighttpd.conf file using a text editor:
     
  5. Add the entry:

    ssl.ca-file="/etc/applmgmt/appliance/ca.crt"
  1. Restart the VAMI service:

    /etc/init.d/vami-lighttp restart

vCenter Server Appliance 6.0:

  1. Log in to the vCenter Server Appliance through SSH.
  2. Run this command to enable access the Bash shell:

    shell.set --enabled true
     
  3. Type shell and press Enter.
  4. Run this script:

    /usr/lib/applmgmt/support/scripts/postinstallscripts/lighttpd-vecs-integration.sh

    You see output similar to:

    Wed Nov 4 10:10:16 UTC 2015: Updating Appliance UI SSL certificate.
    Wed Nov 4 10:10:16 UTC 2015: Appliance UI updated to use VECS MACHINE_SSL_CERT
    Wed Nov 4 10:10:16 UTC 2015: Reloading Appliance UI.
    Shutting down vami-lighttpd:done.
    Starting vami-lighttpd:2015-11-04 10:10:21:
    (/build/mts/release/bora-2250291/vadk/src/vami/apps/lighttpd/1.4.29/src/network.c.239)
    warning: please use server.use-ipv6 only for hostnames, not without server.bind / empty address; your config will break if the kernel default for IPV6_V6ONLY changes done.
     
  5. Copy CA cert chain to:

    /etc/applmgmt/appliance/ca.crt
     
  6. Open the /opt/vmware/etc/lighttpd/lighttpd.conf file using a text editor:
     
  7. Add the entry:

    ssl.ca-file="/etc/applmgmt/appliance/ca.crt"
     
  8. Restart the VAMI service:

    /etc/init.d/vami-lighttp restart
0 Kudos