VMware Cloud Community
gatsby23
Contributor
Contributor
‎01-31-2015 05:49 PM

DNS FQDN vs. AD FQDN and SSL certificates

I have a lab scenario that I'm trying to work through and ultimately move it to a production environment.

I've deployed the vCSA 5.5 and joined it to my Active Directory. This Active Directory has a suffix of example.com, and from the perspective of the domain controllers and perhaps the appliance itself, the FQDN of the vCSA is vc-01.example.com. I want to bring over the historic FQDN of my vCenter server, which has a different name and suffix (e.g. vcenter.company.com).

Users go to this https://vcenter.company.com:9443 alias and it works fine. They don't need to be aware of the "real" hostname of vc-01.example.com. Now I am trying to import signed SSL certificates for vcenter.company.com into my SSO, inventory, log browser, etc. Following the instructions in KB 2057223, I generate the certs and then actually replace the default self-signed certs for SSO. This succeds. But when I try to unregister the inventory service from the SSO with the command:

02-inventoryservice --mode uninstall --ls-server https://vcenter.company.com:7444/lookupservice/sdk

It fails with:

> Using Lookup Service: https ://vcenter.company.com:7444/lookupservice/sdk (on the current machine).

> Intializing registration provider...

> Getting SSL certificates for https://vcenter.company.com:7444/lookupservice/sdk

> com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certficate assertion not verified and thumbprint not matched

>Return code is: SslHandshakeFailed 1

Further, when i try to login to vCenter now following a reboot of the appliance, I get:

Failed to connect to VMware Lookup Service https://192.168.0.10:7444/lookupservice/sdk - SSL certificate verification failed.

I notice on the appliance that /etc/vmware-sso/ls_url.txt contains the contents of "https://192.168.0.10:7444/lookupservice/sdk". When I update that to use vcenter.company.com:7444, I now get a different error with my logon attempt:

Cannot connect to vCenter Single Sign-On server https://192.168.0.10:7444/sts/STSService/vsphere.local. The SSL certificate cannot be verified.

I guess I can regenerate the certs on the appliance, but I'm wondering if anyone has a use case like this or seen these issues before and come up with a solution. I've been going through the KB articles but no luck so far...thanks.

1 Reply
OzJoshMan
Contributor
Contributor
‎10-15-2015 11:51 PM

I am experiencing exactly the same issue. We have one out of 4 vCenter Servers working due to this error. The SOP we followed for all 4 is HERE

When attempting to execute step 19. under the section titles "Installation and configuration of the certificates for all the components" we get SSL Handshake errors:

com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched

Return code is: SslHandshakeFailed


This is a freshly installed vCenter 5.5u2 Appliance, the initial configuration and database has been initialized then we started this process.


When going to the port https://<vCenterAppliance>:7444/lookupservice/sdk

I am getting the following XML error when loading this page

<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

          <soapenv:Body>

               <soapenv:Fault>

                    <faultcode>ServerFaultCode</faultcode>

                         <faultstring>

                         Unexpected EOF in prolog at [row,col {unknown-source}]: [1,0]

                         </faultstring>

                         <detail>

                              <RuntimeFaultFault xmlns="urn:vim25" xmlns:vim25="urn:vim25" xsi:type="vim25:InvalidRequest"/>

                         </detail>

               </soapenv:Fault>

          </soapenv:Body>

</soapenv:Envelope>



0 Kudos