VMware Cloud Community
vinivirtus
Enthusiast
Enthusiast
‎12-03-2014 08:04 AM
Jump to solution

Error replace certificate SSL - inventory services with utilizing the Automation SSL tools - Help Please

I am using SSL update tools to change the vCenter 5.5 SSL certificate.

Changing the SSO certificate was successful, however I am having problem with the inventory services.

Error message below.

==================================================================

4. Update the Inventory Service SSL Certificate

     1. Update the Inventory Service Trust to Single Sign-On

     2. Update the Inventory Service Trust to vCenter Server

     3. Update the Inventory Service SSL Certificate

     4. Rollback to the previous Inventory Service SSL Certificate

     5. Return to the main menu to update other services

The chosen service is: 3

[Wed 12/03/2014 - 13:49:12.88]: The services that are restarted as a part of thi

s operation are: vCenter Inventory Service.

Enter the location to the new Inventory Service SSL chain: C:\certs\InventorySer

vice\chain.pem

Enter the location to the new Inventory Service private key: C:\certs\InventoryS

ervice\rui-orig.key

Enter the Single Sign-On Administrator user (default value is: administrator@vsp

here.local):

Enter the Single Sign-On Administrator password (will not be echoed):

[.] The supplied certificate chain is valid.

[Wed 12/03/2014 - 13:49:44.41]: Last operation update Inventory Service SSL cert

ificate failed :

[Wed 12/03/2014 - 13:49:44.42]: Cannot determine if Inventory Service is registe

red with Single Sign-On - errorlevel is 1

=================================================================

Reply
0 Kudos
1 Solution

Accepted Solutions
vinivirtus
Enthusiast
Enthusiast
‎12-10-2014 07:18 AM
Jump to solution

Problem solved, as the vCenter my environment share the same SSO domain is necessáio that SSL certificcado the primary server is changed.

View solution in original post

Reply
0 Kudos
9 Replies
RyanH84
Expert
Expert
‎12-03-2014 08:15 AM
Jump to solution

Hi there,

I assume you are following the vmware ssl-updater.bat script from looking at the screenshot. Have you run the planner to give you the exact steps to follow when updating everything?

Are you updating all certificates? When you update the SSO and vCenter certificates, you must also then update the Inventory Service trust to single sign on and vCenter. (http://i.imgur.com/mXFBxph.png)  - see option 2.

As per your process copied out from the ssl-updater.bat, have you followed options 1 and 2:

     1. Update the Inventory Service Trust to Single Sign-On

     2. Update the Inventory Service Trust to vCenter Server

???


These must be done before you can update the Inventory service, as part of your planned upgrade - See option 1 on this screenshot.

I am happy to help if you have any questions, I had to do this for my work place recently and have fully documented the entire process!!

Regards,

Ryan

------------------------------------------------------------------------------------------------------------------------------------------------- Regards, Ryan vExpert, VCP5, VCAP5-DCA, MCITP, VCE-CIAE, NPP4 @vRyanH http://vRyan.co.uk
Reply
0 Kudos
vinivirtus
Enthusiast
Enthusiast
‎12-03-2014 01:21 PM
Jump to solution

Ryan,

Thank you for help, however I'm following exetamente the plan that is provided by the tool.

I have problem during the change of certificate Inventory Services.

Reply
0 Kudos
RyanH84
Expert
Expert
‎12-04-2014 03:33 AM
Jump to solution

Hi,

So you have updated the trusts with Inventory service against SSO and vCenter before installing the new certificate?

Can you confirm if all the services are installed on the same server?

------------------------------------------------------------------------------------------------------------------------------------------------- Regards, Ryan vExpert, VCP5, VCAP5-DCA, MCITP, VCE-CIAE, NPP4 @vRyanH http://vRyan.co.uk
Reply
0 Kudos
vinivirtus
Enthusiast
Enthusiast
‎12-04-2014 05:23 AM
Jump to solution

Ryan,

all services installed on the same server.

Follows the plan I'm using, in your post you are stating what should be done the trust between the SSO and vCenter skipping step 3 and step 4 is doing this?

1. Go to the machine with Single Sign-On installed and - Update the Single Sign-

On SSL certificate.

2. Go to the machine with Inventory Service installed and - Update Inventory Ser

vice trust to Single Sign-On.

3. Go to the machine with Inventory Service installed and - Update the Inventory

Service SSL certificate.

4. Go to the machine with vCenter Server installed and - Update vCenter Server t

rust to Single Sign-On.

5. Go to the machine with vCenter Server installed and - Update the vCenter Serv

er SSL certificate.

6. Go to the machine with vCenter Server installed and - Update vCenter Server t

rust to Inventory Service.

7. Go to the machine with Inventory Service installed and - Update the Inventory

Service trust to vCenter Server.

8. Go to the machine with vCenter Orchestrator installed and - Update vCenter Or

chestrator trust to Single Sign-On.

9. Go to the machine with vCenter Orchestrator installed and - Update vCenter Or

chestrator trust to vCenter Server.

10. Go to the machine with vCenter Orchestrator installed and - Update the vCent

er Orchestrator SSL certificate.

11. Go to the machine with vSphere Web Client installed and - Update vSphere Web

Client trust to Single Sign-On.

12. Go to the machine with vSphere Web Client installed and - Update vSphere Web

Client trust to Inventory Service.

13. Go to the machine with vSphere Web Client installed and - Update vSphere Web

Client trust to vCenter Server.

14. Go to the machine with vSphere Web Client installed and - Update the vSphere

Web Client SSL certificate.

15. Go to the machine with Log Browser installed and - Update the Log Browser tr

ust to Single Sign-On.

16. Go to the machine with Log Browser installed and - Update the Log Browser SS

L certificate.

17. Go to the machine with vSphere Update Manager installed and - Update vSphere

Update Manager trust to vCenter Server.

Reply
0 Kudos
RyanH84
Expert
Expert
‎12-04-2014 05:29 AM
Jump to solution

Hi,

I'm a bit confused with what you are asking?

The screenshot I posted, was a plan that I had for updating all certificates: SSO, Inventory Service, vCenter, Orchestrator, Web Client and Log Browser.

Did you generate a plan using the tool? If so, can you post a picture of it? (Like mine?)

You must follow all the steps as per your plan for it to work. It seems to me that you might have updated your SSO certificate and NOT followed step 2 "Update the Inventory service to trust Single Sign on".

------------------------------------------------------------------------------------------------------------------------------------------------- Regards, Ryan vExpert, VCP5, VCAP5-DCA, MCITP, VCE-CIAE, NPP4 @vRyanH http://vRyan.co.uk
Reply
0 Kudos
vinivirtus
Enthusiast
Enthusiast
‎12-04-2014 05:47 AM
Jump to solution

Ryan,

I'm just following the plan created by the tool. (ssl certificate updater tool)

the error is displayed when I perform step 3.

example.

1. Go to the machine with Single Sign-On and installed - Update the Single Sign-

On SSL certificate.

  Status: successful

2. Go to the machine with Inventory Service installed and - Update Inventory Being

vice trust to Single Sign-On.

   Status: successful

3. Go to the machine with Inventory Service installed and - Update the Inventory

Service SSL certificate.

  Status: Failed.

Preview file
217 KB
Reply
0 Kudos
RyanH84
Expert
Expert
‎12-04-2014 07:38 AM
Jump to solution

Hi,

When you follow these options:

4. Update the Inventory Service SSL Certificate

     1. Update the Inventory Service Trust to Single Sign-On

     2. Update the Inventory Service Trust to vCenter Server

     3. Update the Inventory Service SSL Certificate

     4. Rollback to the previous Inventory Service SSL Certificate

     5. Return to the main menu to update other services

When you follow option "1 - Update the Inventory Service Trust to Single Sign-On" does that work correctly?

If you are having trouble with the automation tool, perhaps follow the manual process of updating the Inventory Server certificate following this KB?

------------------------------------------------------------------------------------------------------------------------------------------------- Regards, Ryan vExpert, VCP5, VCAP5-DCA, MCITP, VCE-CIAE, NPP4 @vRyanH http://vRyan.co.uk
Reply
0 Kudos
vinivirtus
Enthusiast
Enthusiast
‎12-04-2014 11:18 AM
Jump to solution

Ryan,

update the information, my environment shared same domain single sign-on that could be a problem in exchange for the certificate of vCenter?

Reply
0 Kudos
vinivirtus
Enthusiast
Enthusiast
‎12-10-2014 07:18 AM
Jump to solution

Problem solved, as the vCenter my environment share the same SSO domain is necessáio that SSL certificcado the primary server is changed.

Reply
0 Kudos