VMware Cloud Community
pentium3nl
Contributor
Contributor

vRealize Automation: WAPI - untrusted certificate chain

Dear Everyone,

Im running into an issue with our vrealize automation install (v7.3).

On a minimum install, we had to replace the certificate on the iaas server.

After registering all the endpoints, everything worked except for the following:

2017-10-05 09:17:00,265 vcac: [component="cafe:event-broker" priority="INFO" thread="ebs-queue-pool-executer-3" tenant="" context="" parent="" token=""] com.vmware.vcac.eventlog.auditing.saveEvent:90 - Exception thrown for IaaS endpoint: https://iaas1/WAPI/  - Error Message: java.security.cert.CertificateException: Untrusted certificate chain.

I tried to register:

c:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe>Vcac-Config.exe RegisterEndpoint --EndpointAddress https://iaas1/WAPI --Endpoint wapi -v

even with a rebuild of the trust:

(Incorrect vRealize Automation Component Service Registrations)

Or add the chain certificates to the java keystore.

But nothing seems to work.

As automation is completely unusable right now, any help would be appreciated.

PS. on the applience, all the services show registered except for:

release-management

com.vmware.csp.component.devops.release.management

2017 Oct 5 11:15:15

UNAVAILABLE

But that was the case from the beginning. Further more, there are no more errors.

Full Exception:

2017-10-05 09:17:00,020 vcac: [component="cafe:iaas-proxy" priority="INFO" thread="tomcat-http--31" tenant="vsphere.local" contex

t="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:51

- Default SSL Certificate: 261966366051175164202210355019191434353

2017-10-05 09:17:00,020 vcac: [component="cafe:iaas-proxy" priority="WARN" thread="tomcat-http--31" tenant="vsphere.local" contex

t="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:61

- Untrusted certificate chain:

2017-10-05 09:17:00,020 vcac: [component="cafe:iaas-proxy" priority="WARN" thread="tomcat-http--31" tenant="vsphere.local" contex

t="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:63

- Untrusted certificate with serial number: [275575002430767747207576006487004385936] and thumbprint: [B0:95:0A:40:F6:85:F3:0F:D

B:DD:D8:BE:85:F7:62:10:71:44:60:69]

2017-10-05 09:17:00,021 vcac: [component="cafe:iaas-proxy" priority="WARN" thread="tomcat-http--31" tenant="vsphere.local" contex

t="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:63

- Untrusted certificate with serial number: [57397899145990363081023081275480378375] and thumbprint: [33:9C:DD:57:CF:D5:B1:41:16

:9B:61:5F:F3:14:28:78:2D:1D:A6:39]

2017-10-05 09:17:00,021 vcac: [component="cafe:iaas-proxy" priority="WARN" thread="tomcat-http--31" tenant="vsphere.local" contex

t="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:63

- Untrusted certificate with serial number: [52374340215108295845375962883522092578] and thumbprint: [F5:AD:0B:CC:1A:D5:6C:D1:50

:72:5B:1C:86:6C:30:AD:92:EF:21:B0]

2017-10-05 09:17:00,021 vcac: [component="cafe:iaas-proxy" priority="ERROR" thread="tomcat-http--31" tenant="vsphere.local" conte

xt="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.iaas.gateway.impl.BaseGatewayImpl.mapIaasGatewayException:91 -

Exception thrown for IaaS endpoint: https://iaas1/WAPI/ , message: java.security.cert.CertificateExceptio

n: Untrusted certificate chain.

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted certificate chain.

        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_131]

        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[?:1.8.0_131]

        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[?:1.8.0_131]

        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_131]

        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:1.8.0_131]

        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]

        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]

        at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:1.8.0_131]

        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_131]

        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_131]

        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_131]

        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[?:1.8.0_131]

        at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) ~[httpcli

ent-4.5.2.jar:4.5.2]

Reply
0 Kudos
3 Replies
daphnissov
Immortal
Immortal

Try to replace the cert through the VAMI. As long as the management agent is checking in, you should be able to do so, and it'll reestablish the chain of trust. If it's still not working, describe the certificate type you're attempting to use.

Reply
0 Kudos
storage_god
Contributor
Contributor

Were you able to figure this out? I have the same issue.

Reply
0 Kudos
YestoVI
VMware Employee
VMware Employee

you need the complete cert chain, in the following order

1. cert

2. intermediate

3. root

Reply
0 Kudos