VMware Cloud Community
jburen
Expert
Expert
Jump to solution

Unable to replace SSL certificate

I installed vRealize Operations Manager 8.1 and tried to change the SSL certificate. I worked through VMware Knowledge Base but when I select the PEM file I get an error: Operation Failed. If the error persists contact VMware support.

I checked the PEM file with openssl and everything seems ok. In the casa.log I see this:

2020-10-05T12:01:54,157 [ee0005E1] [ajp-nio-127.0.0.1-8011-exec-6] INFO support.subprocess.GeneralCommand support.subprocess.GeneralCommand:255 - Command '/usr/lib/vmware-python-3/bin/python /usr/lib/vmware-casa/bin/vropsCertificateTool.py -i /storage/db/tmp/uploaded_cert.tmp --no_describe --json --level NONE' threw exception: CommandLineExitException: key=general.failure; args=1,Traceback (most recent call last):

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 470, in _parse

  self._parsed_object = Certificate(self.pem_data)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 167, in __init__

  self._certificate_data = self.load_certificate(self._pem_data)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 299, in load_certificate

  return OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, pem_data)

  File "/usr/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1825, in load_certificate

  _raise_current_error()

  File "/usr/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue

  raise exception_type(errors)

OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1583, in <module>

  sys.exit(main(sys.argv))

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1531, in main

  certificate_file = CertificateFile(input_files, fix=options.get('fix'))

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 632, in __init__

  self._parse_file(source_file)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 756, in _parse_file

  self._parse_buffer(f)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 713, in _parse_buffer

  section = Section(description, current_section, self._fixing)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 412, in __init__

  self._parse(fixing)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 474, in _parse

  cert_store = CertificateStore(self.pem_data)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 550, in __init__

  self._parse(pem_data)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 562, in _parse

  result = run_script([get_openssl_command(), 'pkcs7', '-print_certs'], stdin=pem_data)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1275, in run_script

  (process_stdout, process_stderr) = process_pipe.communicate(stdin)

  File "/usr/lib/python3.7/subprocess.py", line 964, in communicate

  stdout, stderr = self._communicate(input, endtime, timeout)

  File "/usr/lib/python3.7/subprocess.py", line 1695, in _communicate

  input_view = memoryview(self._input)

TypeError: memoryview: a bytes-like object is required, not 'str'

; cause=

2020-10-05T12:01:54,158 [ee0005E1] [ajp-nio-127.0.0.1-8011-exec-6] ERROR casa.security.SecurityService casa.security.SecurityService:1395 - Unexpected error during validateCertificate script execution: Traceback (most recent call last):

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 470, in _parse

  self._parsed_object = Certificate(self.pem_data)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 167, in __init__

  self._certificate_data = self.load_certificate(self._pem_data)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 299, in load_certificate

  return OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, pem_data)

  File "/usr/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1825, in load_certificate

  _raise_current_error()

  File "/usr/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue

  raise exception_type(errors)

OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')]

During handling of the above exception, another exception occurred:

Traceback (most recent call last):

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1583, in <module>

  sys.exit(main(sys.argv))

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1531, in main

  certificate_file = CertificateFile(input_files, fix=options.get('fix'))

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 632, in __init__

  self._parse_file(source_file)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 756, in _parse_file

  self._parse_buffer(f)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 713, in _parse_buffer

  section = Section(description, current_section, self._fixing)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 412, in __init__

  self._parse(fixing)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 474, in _parse

  cert_store = CertificateStore(self.pem_data)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 550, in __init__

  self._parse(pem_data)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 562, in _parse

  result = run_script([get_openssl_command(), 'pkcs7', '-print_certs'], stdin=pem_data)

  File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1275, in run_script

  (process_stdout, process_stderr) = process_pipe.communicate(stdin)

  File "/usr/lib/python3.7/subprocess.py", line 964, in communicate

  stdout, stderr = self._communicate(input, endtime, timeout)

  File "/usr/lib/python3.7/subprocess.py", line 1695, in _communicate

  input_view = memoryview(self._input)

TypeError: memoryview: a bytes-like object is required, not 'str'

I think the file is uploaded and checked but then something goes wrong. I already checked the order of the certificates in the PEM file (Certificate, Private Key, CA Certificate).

Consider giving Kudos if you think my response helped you in any way.
Reply
0 Kudos
1 Solution

Accepted Solutions
jburen
Expert
Expert
Jump to solution

I searched for "nested asn1 error" and double-checked the certificate from my CA. The reason for the error was that I used a PKCS7 root CA certificate instead of a Base-64 encoded certificate. When you open both in Notepad they look the same but they are not... After replacing the CA certificate I was able to load the PEm file and replace the SSL certificate.

Consider giving Kudos if you think my response helped you in any way.

View solution in original post

Reply
0 Kudos
1 Reply
jburen
Expert
Expert
Jump to solution

I searched for "nested asn1 error" and double-checked the certificate from my CA. The reason for the error was that I used a PKCS7 root CA certificate instead of a Base-64 encoded certificate. When you open both in Notepad they look the same but they are not... After replacing the CA certificate I was able to load the PEm file and replace the SSL certificate.

Consider giving Kudos if you think my response helped you in any way.
Reply
0 Kudos