VMware Cloud Community
SoheilSP
Contributor
Contributor
‎05-29-2023 11:14 PM

Can not replace ssl on Vcenter

Hi everyone

I have Vcenter 7.0.3.00700 and want to replace SSL ، I generated CSR from Vcenter. After I got a new certificate from Replace Vcenter server certificate section I chose "Replace with external CA certificate where CSR is generated from vCenter Server (private key embedded)" and after importing SSL and chain trust, I faced an error. I attached the picture, please help me.

Thanks

 

Preview file
52 KB
0 Kudos
8 Replies
Sachchidanand
Expert
Expert
‎05-30-2023 01:52 AM

Please check if the PNID value is mismatch. It could be one of the reason for the cert fail

to check the current value:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

to update the value:

/usr/lib/vmware-vmafd/bin/vmafd-cli set-pnid --server-name localhost --pnid <pnid>

0 Kudos
SoheilSP
Contributor
Contributor
‎05-30-2023 02:17 AM

@Sachchidanand 

Hi again,

They are the same and there is no mismatch.

0 Kudos
SoheilSP
Contributor
Contributor
‎05-30-2023 05:15 AM

I ran your command and after that, the error changed.

The new error is "Error occurred while fetching tls: the trustAnchors parameter must be non-empty"

 

0 Kudos
mannharry
Hot Shot
Hot Shot
‎05-30-2023 11:33 PM

Hello,

This error can occur due to the algorithm used to sign the CSR using SHA1 which is not supported..

More Details : https://kb.vmware.com/s/article/2112277?lang=en_us

 

Regards

Harry

0 Kudos
SoheilSP
Contributor
Contributor
‎05-30-2023 11:51 PM

Hi @Sachchidanand 

Is it applies to me, who uses an External certification authority? 

0 Kudos
Hr_Ross76
Enthusiast
Enthusiast
‎06-02-2023 04:04 AM

Im using external CA.

But im doing that with -->

/usr/lib/vmware-vmca/bin/certificate-manager

More transaparent than the GUI

1 -> Enter (Replace Machine SSL certificate with Custom Certificate)

Benutzname -> Enter

Passwort -> Enter

1 -> Enter (Generate Certificate Signing Request(s) and Key(s) for Machine SSL certificate

cheers

0 Kudos
Sachchidanand
Expert
Expert
‎06-03-2023 01:15 AM

Yes, it will apply who is using external CA. You can also check if CSR not generated through vCenter. Some public CAs  also generate private key along with certificate and the chain. 

0 Kudos