I have a lab scenario that I'm trying to work through and ultimately move it to a production environment.
I've deployed the vCSA 5.5 and joined it to my Active Directory. This Active Directory has a suffix of example.com, and from the perspective of the domain controllers and perhaps the appliance itself, the FQDN of the vCSA is vc-01.example.com. I want to bring over the historic FQDN of my vCenter server, which has a different name and suffix (e.g. vcenter.company.com).
Users go to this https://vcenter.company.com:9443 alias and it works fine. They don't need to be aware of the "real" hostname of vc-01.example.com. Now I am trying to import signed SSL certificates for vcenter.company.com into my SSO, inventory, log browser, etc. Following the instructions in KB 2057223, I generate the certs and then actually replace the default self-signed certs for SSO. This succeds. But when I try to unregister the inventory service from the SSO with the command:
02-inventoryservice --mode uninstall --ls-server https://vcenter.company.com:7444/lookupservice/sdk
It fails with:
> Using Lookup Service: https ://vcenter.company.com:7444/lookupservice/sdk (on the current machine).
> Intializing registration provider...
> Getting SSL certificates for https://vcenter.company.com:7444/lookupservice/sdk
> com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certficate assertion not verified and thumbprint not matched
>Return code is: SslHandshakeFailed 1
Further, when i try to login to vCenter now following a reboot of the appliance, I get:
Failed to connect to VMware Lookup Service https://192.168.0.10:7444/lookupservice/sdk - SSL certificate verification failed.
I notice on the appliance that /etc/vmware-sso/ls_url.txt contains the contents of "https://192.168.0.10:7444/lookupservice/sdk". When I update that to use vcenter.company.com:7444, I now get a different error with my logon attempt:
Cannot connect to vCenter Single Sign-On server https://192.168.0.10:7444/sts/STSService/vsphere.local. The SSL certificate cannot be verified.
I guess I can regenerate the certs on the appliance, but I'm wondering if anyone has a use case like this or seen these issues before and come up with a solution. I've been going through the KB articles but no luck so far...thanks.
I am experiencing exactly the same issue. We have one out of 4 vCenter Servers working due to this error. The SOP we followed for all 4 is HERE
When attempting to execute step 19. under the section titles "Installation and configuration of the certificates for all the components" we get SSL Handshake errors:
com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched
Return code is: SslHandshakeFailed
This is a freshly installed vCenter 5.5u2 Appliance, the initial configuration and database has been initialized then we started this process.
When going to the port https://<vCenterAppliance>:7444/lookupservice/sdk
I am getting the following XML error when loading this page
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<soapenv:Fault>
<faultcode>ServerFaultCode</faultcode>
<faultstring>
Unexpected EOF in prolog at [row,col {unknown-source}]: [1,0]
</faultstring>
<detail>
<RuntimeFaultFault xmlns="urn:vim25" xmlns:vim25="urn:vim25" xsi:type="vim25:InvalidRequest"/>
</detail>
</soapenv:Fault>
</soapenv:Body>
</soapenv:Envelope>