Solved: Using CA signed certs on vCenter 5.5U2 appliance a...

lowey71 · ‎09-16-2014

Upgraded all our vCenters to 5.5U2. Also upgraded to latest Vsphere replication as well. No issues. All working well.

Tried to (re)install SRM components with 5.8

One site is using Windows vCenter, and upgrade went fine, using P12 CA signed cert during installation.

Other site is using Vcenter appliance. When installing SRM 5.8 and p12 cert, receive the following:

---

Failed to validate certificate:

Details:

VMware vCenter Site Recovery Manager's client certificate is not trusted by vCenter Server.

---

and unable to continue

Tried installing the intermediate cert on the Windows SRM host. Also tried adding the intermediate cert into the P12 cert but receive message about the cert not being correct.

Feel that that is something to do with the intermediate cert not being given to the vCenter server, thus unable to fully validate the cert chain. Dont know if this can be installed on the vCenter appliance so it is able to validate the chain that way.

Have logged a call regarding this but wondering if anyone has come across this and might have a workaround.

asenov · ‎09-18-2014

Hi Lowey,

To make SRM certificates trusted to vCenter Server you should do the following:

1. Copy the CA cert (not sure if only the intermediate one would be enough or all the chain) file in /etc/ssl/certs in Vcenter appliance

2. Run c_rehash in Vcenter appliance console

Regards,

Asen

View solution in original post

basher · ‎09-17-2014

Hi and welcome to VMware Communities

Are you upgrading SRM from 5.5 to 5.8 or is it a new install?

On the site with vCenter Appliance, are you using a CA signed cert on vCenter or is it self-signed?

Thanks

Stefan

Director - VMware Site Recovery Manager

jordanovi · ‎09-17-2014

Hi Lowey

If you use custom certificate-based authentication, you must use certificates signed by a CA that both the vCenter Server and SRM Server instances trust, on both the protected site and the recovery site. You can use a certificate that is signed by a different CA on each site if both CAs are installed as trusted Root CAs on both sites.

More details here could be found in doc chapter Site Recovery Manager Authentication

Please, also note that you must copy the certificates of the signing CA to the host machine on which the vSphere Web Client service is running (subtopic Provide Trusted CA Certificates to vSphere Web Client)

Hope this helps

Ivan

lowey71 · ‎09-17-2014

Basically an install. Wanted to migrated to the vPostgres DB so fully uninstalled SRM (we dont have many machines in SRM, so not much data lost)

lowey71 · ‎09-17-2014

All the certificates are trusted root CA signed (via an intermediate).

Existing Web client connections to vCenter are all fine (cert accepted OK - 'green' https)

Quick test:

#openssl s_client -host vcenter:443

or

#openssl s_client -host vcenter:9443

or

#openssl s_client -host vcenter:8443

CONNECTED(00000003)

---

Certificate chain

0 s:/<REMOVED>

i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G2

1 s:/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G2

i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2

2 s:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2

i:/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2

asenov · ‎09-18-2014

Hi Lowey,

To make SRM certificates trusted to vCenter Server you should do the following:

1. Copy the CA cert (not sure if only the intermediate one would be enough or all the chain) file in /etc/ssl/certs in Vcenter appliance

2. Run c_rehash in Vcenter appliance console

Regards,

Asen

lowey71 · ‎09-18-2014

Fixed. Copied the intermediate into /etc/ssl/certs & #c_rehash and able to join successfully!

Wasnt sure if the vCenter used the OS SSL library or not. Now I do.

Many thanks Asen

All

Using CA signed certs on vCenter 5.5U2 appliance and SRM 5.8 (vPostgres)