VMware Cloud Community
Raudi
Expert
Expert
‎05-21-2021 08:09 AM

LDAPS and certificate error when entering new values

Hi,

I'm trying to replace the user, who is   used in the LDAPS   connection in a 6.5 (latest update) VCSA. But   when trying   to save i got a error that a certificate is expired since 8th february.

I found errors   regarding the certificate in the logfiles  vmware-sts-idmd.log and   ssoAdminServer.log, but nothing is telling me where the certificate is to find.

ERROR com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021
ERROR com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl] Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021

ERROR] [ValidateUtil] Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021
ERROR] [ServerUtils] Exception 'java.lang.IllegalArgumentException: Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021'

When i try this against the Domaincontroller:

root@SRV10 [ ~ ]# openssl s_client -connect domaincontroller:636 2>/dev/null | openssl x509 -noout -dates
notBefore=Feb 25 14:31:47 2021 GMT
notAfter=Feb 25 14:31:47 2022 GMT

The certificate is valid, and all vCenter certificates too.

What can i do else, to find the  expired certificate?

Kind regards
Stefan

Reply
0 Kudos
4 Replies
Ajay1988
Expert
Expert
‎05-21-2021 08:24 AM

This seems for sure ldaps cert is expired.
TRY : openssl s_client -connect domaincontroller:636 > /tmp/cert.txt
Pick the server certificate and copy to a notepad and change ext to .cer and check the validity and also if its got any chain "Certification Path" and it they are not expired.
Server certificate
-----BEGIN CERTIFICATE-----
|
-----END CERTIFICATE-----

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
Reply
0 Kudos
Raudi
Expert
Expert
‎05-26-2021 12:35 AM

This i already checked and all is fine.

Today  i noticed that i can create a new source entry with the same LDAPS server with no error. The error i got only when i try to modify that existing one.

I havn't created that source, but what happens when the person has uploaded, during creating of the  LDAPS source, the LDAPS server certificate and not the chain? And now the server certificate is stored in the source configuration? The certificate he has used is now expired...

So  one solution is to delete the source and recreate it, no problem. But i want to know more. 🙂

Ii run this command:

root@SRV10 [ ~ ]# sso-config.sh -check_ldaps_cert_validation
********** IDENTITY SOURCE CONNECTION LDAPS INFORMATION FOR vsphere.local **********
Test connectionString: ldaps://srv01.xxxx.local:636 PASSED
****** TOTAL: 1, FAILED: 0 ******

Is there a way to view the certificate from that source? Or all certificates stored in the SSO config?

Reply
0 Kudos
ksnull02
Contributor
Contributor
‎01-16-2023 01:21 AM

Same issue here.

Cannot change identity source with expired DC certificates.

Any workaround ?

Reply
0 Kudos
Ajay1988
Expert
Expert
‎01-23-2023 07:06 AM

 

If you are updating or replacing the ldaps certificate ( If expired); the identity source will need to be removed & re-added.

https://kb.vmware.com/s/article/2041378

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
Reply
0 Kudos