Solved: VDP 5.5 chokes on vCenter (Appliance 5.5) certific...

dilettante · ‎02-11-2014

Hi,

I just changed our vCAs self-signed certificates, replaced them with certificates from our internal CA.

I followed VMware KB: Configuring Certificate Authority (CA) signed certificates for vCenter Server Appliance 5...exactly.

Our CA server runs CentOS 6.5, which ships with OpenSSL > 0.9.8, which means keys are saved in a new key format (PKCS#8 vs. the "traditional" format.)

I transformed my vCenter keys back to the old format using "openssl rsa -in server.key -out server.rsa.key", which was actually mentioned in one VMware KB, too.

Just to summarize: I created four 2048-bit certificates using SHA512, having IP, FQDN and hostname as SAN and different organizationalUnitNames as mentioned in the above KB.

Keys were created in PKCS#8 format which seems to be standard since OpenSSL > 0.9.8n.

Well, everything seemed to work fine until I tried to connect to my VDP via vSphere Web Client. I got the message that the SSO service couldn't be reached and was asked whether I wanted to be redirected to the VDPs management page.

I took a look into /usr/local/avamar/var/vdr/server_logs/vdr-server.log and found this:

2014-02-11 17:46:17,632 INFO [com.emc.vdp2.server.VDRServer$1]-server.ConnectionService: Trying to establish connection with vCenter.

2014-02-11 17:46:17,642 INFO [com.emc.vdp2.server.VDRServer$1]-service.AdapterUtils: MCS Web Services URL: https://server:9443/services/mcService MCUserId="MCUser" MCUserPswd="*****************************"

2014-02-11 17:46:18,162 INFO [com.emc.vdp2.server.VDRServer$1]-service.ServiceInstance: ServiceInstanceMoref desc=Service Id: urn:uuid:SOMEID name=urn:uuid:SOMEID value=SERVICE

2014-02-11 17:46:18,178 INFO [com.emc.vdp2.server.VDRServer$1]-vi.VCenterServiceImpl: Found VCenter 'server' in domain 'server' which has 'VirtualMachines' as subDomain

2014-02-11 17:46:18,190 ERROR [com.emc.vdp2.server.VDRServer$1]-server.ConnectionService: Unable to get the vi access

java.rmi.RemoteException: VI SDK invoke exception:javax.net.ssl.SSLProtocolException: Certificate contains invalid public key: Invalid RSA (1.2.840.113549.1.1.1) public key encoding.

at com.vmware.vim25.ws.WSClient.invoke(WSClient.java:213)

at com.vmware.vim25.ws.WSClient.invoke(WSClient.java:137)

at com.vmware.vim25.ws.VimStub.retrieveServiceContent(VimStub.java:1480)

at com.vmware.vim25.mo.ServiceInstance.<init>(ServiceInstance.java:99)

at com.vmware.vim25.mo.ServiceInstance.<init>(ServiceInstance.java:83)

at com.emc.vdp2.common.vi.VIAccess.getServiceInstance(VIAccess.java:200)

at com.emc.vdp2.server.ConnectionService.run(ConnectionService.java:55)

at java.lang.Thread.run(Unknown Source)

Thing is, I can't make backups right now. A certificate rollback is possible would only a short-term solution.

dilettante · ‎02-28-2014

Although VMware states it is best practice to use 2048bit certificates for servers, nothing is said about the CA certificates. VMware vCenter Appliance 5.5 works fine with 2048bit server certs and 8192bit CA certs. VDP on the other hand does not like 8192bit certs.

As we were in the process of enabling a new CA and testing it first with our VMware environment, we could create a new one with 4096bit.

VMware and ceritificates seem to be a complicated, depressing and never ending story.

View solution in original post

dilettante · ‎02-28-2014

Although VMware states it is best practice to use 2048bit certificates for servers, nothing is said about the CA certificates. VMware vCenter Appliance 5.5 works fine with 2048bit server certs and 8192bit CA certs. VDP on the other hand does not like 8192bit certs.

As we were in the process of enabling a new CA and testing it first with our VMware environment, we could create a new one with 4096bit.

VMware and ceritificates seem to be a complicated, depressing and never ending story.

All

VDP 5.5 chokes on vCenter (Appliance 5.5) certificates