Hi,
I'm trying to replace the user, who is used in the LDAPS connection in a 6.5 (latest update) VCSA. But when trying to save i got a error that a certificate is expired since 8th february.
I found errors regarding the certificate in the logfiles vmware-sts-idmd.log and ssoAdminServer.log, but nothing is telling me where the certificate is to find.
ERROR com.vmware.identity.admin.server.ims.impl.IdentitySourceManagementImpl] Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021
ERROR com.vmware.identity.admin.vlsi.IdentitySourceManagementServiceImpl] Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021
ERROR] [ValidateUtil] Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021
ERROR] [ServerUtils] Exception 'java.lang.IllegalArgumentException: Certificate is not valid: NotAfter: Mon Feb 08 01:28:29 CET 2021'
When i try this against the Domaincontroller:
root@SRV10 [ ~ ]# openssl s_client -connect domaincontroller:636 2>/dev/null | openssl x509 -noout -dates
notBefore=Feb 25 14:31:47 2021 GMT
notAfter=Feb 25 14:31:47 2022 GMT
The certificate is valid, and all vCenter certificates too.
What can i do else, to find the expired certificate?
Kind regards
Stefan
This seems for sure ldaps cert is expired.
TRY : openssl s_client -connect domaincontroller:636 > /tmp/cert.txt
Pick the server certificate and copy to a notepad and change ext to .cer and check the validity and also if its got any chain "Certification Path" and it they are not expired.
Server certificate
-----BEGIN CERTIFICATE-----
|
-----END CERTIFICATE-----
This i already checked and all is fine.
Today i noticed that i can create a new source entry with the same LDAPS server with no error. The error i got only when i try to modify that existing one.
I havn't created that source, but what happens when the person has uploaded, during creating of the LDAPS source, the LDAPS server certificate and not the chain? And now the server certificate is stored in the source configuration? The certificate he has used is now expired...
So one solution is to delete the source and recreate it, no problem. But i want to know more. 🙂
Ii run this command:
root@SRV10 [ ~ ]# sso-config.sh -check_ldaps_cert_validation
********** IDENTITY SOURCE CONNECTION LDAPS INFORMATION FOR vsphere.local **********
Test connectionString: ldaps://srv01.xxxx.local:636 PASSED
****** TOTAL: 1, FAILED: 0 ******
Is there a way to view the certificate from that source? Or all certificates stored in the SSO config?
Same issue here.
Cannot change identity source with expired DC certificates.
Any workaround ?
If you are updating or replacing the ldaps certificate ( If expired); the identity source will need to be removed & re-added.
https://kb.vmware.com/s/article/2041378