Raudi
Expert
Expert

LDAPS and certificate error when entering new values

Hi,

I'm trying to replace the user, who is   used in the LDAPS   connection in a 6.5 (latest update) VCSA. But   when trying   to save i got a error that a certificate is expired since 8th february.

I found errors   regarding the certificate in the logfiles  vmware-sts-idmd.log and   ssoAdminServer.log, but nothing is telling me where the certificate is to find.

ERROR com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021
ERROR com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl] Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021

ERROR] [ValidateUtil] Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021
ERROR] [ServerUtils] Exception 'java.lang.IllegalArgumentException: Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021'

When i try this against the Domaincontroller:

root@SRV10 [ ~ ]# openssl s_client -connect domaincontroller:636 2>/dev/null | openssl x509 -noout -dates
notBefore=Feb 25 14:31:47 2021 GMT
notAfter=Feb 25 14:31:47 2022 GMT

The certificate is valid, and all vCenter certificates too.

What can i do else, to find the  expired certificate?

Kind regards
Stefan

0 Kudos
2 Replies
Ajay1988
VMware Employee
VMware Employee

This seems for sure ldaps cert is expired.
TRY : openssl s_client -connect domaincontroller:636 > /tmp/cert.txt
Pick the server certificate and copy to a notepad and change ext to .cer and check the validity and also if its got any chain "Certification Path" and it they are not expired.
Server certificate
-----BEGIN CERTIFICATE-----
|
-----END CERTIFICATE-----

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
Raudi
Expert
Expert

This i already checked and all is fine.

Today  i noticed that i can create a new source entry with the same LDAPS server with no error. The error i got only when i try to modify that existing one.

I havn't created that source, but what happens when the person has uploaded, during creating of the  LDAPS source, the LDAPS server certificate and not the chain? And now the server certificate is stored in the source configuration? The certificate he has used is now expired...

So  one solution is to delete the source and recreate it, no problem. But i want to know more. 🙂

Ii run this command:

root@SRV10 [ ~ ]# sso-config.sh -check_ldaps_cert_validation
********** IDENTITY SOURCE CONNECTION LDAPS INFORMATION FOR vsphere.local **********
Test connectionString: ldaps://srv01.xxxx.local:636 PASSED
****** TOTAL: 1, FAILED: 0 ******

Is there a way to view the certificate from that source? Or all certificates stored in the SSO config?

0 Kudos