VMware_Admin11
Contributor
Contributor

VCSA 6.5U1 certificate-manager broken NSX manager can not accept SSL key

Hello,

We have a very peculiar problem with SSL certificate update.

After replacing "Machine SSL certificate with Custom Certificate" with  /usr/lib/vmware-vmca/bin/certificate-manager

NSX Manager 6.3.3 can no longer connect to VCSA

Error message in NSX Manager log is:

2017-08-18 08:47:35.472 GMT INFO ViInventoryThread ViInventory:442 - Inventory cannot connect to VC because:Error allocating connection to vCenter Server.; nested exception is java.util.concurrent.ExecutionException: com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match

2017-08-18 08:47:35.475 GMT INFO ViInventoryThread ViInventory:447 - Inventory cannot connect to VC because:com.vmware.vshield.vsm.vcserver.VcConnectionNotAvailableException: core-services:500:vCenter Connection is not available.:com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match

The below did NOT help:

vCenter Server certificate validation error for external solutions in environments with Embedded Pla...

Resetting certificates and adding Custom again does not work due to a bug: "Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subje...

Any ideas ?

0 Kudos
6 Replies
Sreec
VMware Employee
VMware Employee

So if my understanding is correct,cert replacement was done only on VCSA ? By any chance PSC connectivity(If it is external) is also impacted after cert replacement ? How did you generate VCSA certificate 1)IP 2)FQDN ?

Based on one of the option- you should try updating correct IP/FQDN once again in NSX registration page and give it a try. If this is fresh NSX set-up,better option would be remove the solution and register it back.

Cheers,
Sree | CKA|CKAD|VCIX-3X| VCAP-4X| VExpert 5x
0 Kudos
VMware_Admin11
Contributor
Contributor

VCSA cert is a bought STAR multi domain cert *.domain.com

Replacement was done only on VCSA.

PSC is integrated and is not impacted.

Tried to reconnect NSX Manager multiple times by entering vCenter IP and FQDN however the problem is the same every time.

I am now replacing NSX Manager with a fresh one, to which I can try a backup restore.

Any Ideas ?

0 Kudos
VMware_Admin11
Contributor
Contributor

vCenter certificate issues when deploying VIO

Here they do it with restarting that appliance, didn't solve it for NSX Manager though.

0 Kudos
Sreec
VMware Employee
VMware Employee

As long as you can connect to VCSA without any certificate warning ,that confirm cert side is fine. Fresh NSX deploy would be a quicker option.

Cheers,
Sree | CKA|CKAD|VCIX-3X| VCAP-4X| VExpert 5x
0 Kudos
VMware_Admin11
Contributor
Contributor

Yes the fresh NSX Manager connected to the FQDN without issue.

Now figuring out how to resume with the existing config. (backup restore?)

0 Kudos
Sreec
VMware Employee
VMware Employee

Any luck after restore?

Cheers,
Sree | CKA|CKAD|VCIX-3X| VCAP-4X| VExpert 5x
0 Kudos