HI
I have a "VCENTER" which updates from 6.0U3 to 6.5U1, all right, now I need to outsource the PSC to a new one which is already connected to an SSO domain, I fulfill the requirement that it be the same domain "vsphere.local" and the same SITE, the problem is that it does not try to do anything since there is a problem with the certificate which I could not resolve.
root@vcenter [ ~ ]# cmsso-util reconfigure --repoint-psc psc-01.example.com --username Administrator --domain-name vsphere.local --passwd "example"
Validating Provided Configuration ...
Falied to open connection https://psc01.example.com:443/websso/ Error: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
Disign:
Error when i try a openssl , in mi other vcenter i try the same and work fine
root@vcenter [ /usr/lib/vmware-vmafd/bin ]# openssl s_client -connect psc-01.example.com:443
CONNECTED(00000003)
depth=0 CN = psc-01.example.com, C = US
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = psc-01.example.com, C = US
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=psc-01.example.com/C=US
i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc-01.example.com/OU=VMware Engineering
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID2TCCAsGgAwIBAgIJAMHHZhUAmSR6MA0GCSqGSIb3DQEBCwUAMIGlMQswCQYD
VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ
FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExJzAlBgNV
BAoMHnZjYXBwcHJkcHNjLmN5dC5jb25jaGF5dG9yby5jbDEbMBkGA1UECwwSVk13
YXJlIEVuZ2luZWVyaW5nMB4XDTE3MTIwMTE3NTExMVoXDTI3MTEyNjE3NTExMVow
NjEnMCUGA1UEAwwedmNhcHBwcmRwc2MuY3l0LmNvbmNoYXl0b3JvLmNsMQswCQYD
VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJseMJySBSCx
+9cHt0MG27OaA0oLZ8GN/Yn3Mr0MyfIzrgL3wo7DGww3kRvD+k1g2TVHYi8fojY7
rdMkr/IrmgcY+9VxaNVBWub5A2aVZgffbRYpOprFRs8aKSlb6ltbsJ7u5beHAz0A
wFBdXs3ei8hJhUcD8tO0Y49zOhrXxGncVjeSmsIMo4yz/9DSWM/Cp7GXnaNyRUe7
xFsU/cz5O7eH0jJMYUVziLaQqeN5SEFLFi931PV7mA+LnIxJ6i5iTSw8aK5YmgMr
6BqhtAlAABe9x8KAzgvJL9TcZR6DN/96RKL/c6VRWD9wjUi9qJ/7XSi6YLHLjTjV
uNRzuxeBpbECAwEAAaN6MHgwCwYDVR0PBAQDAgOoMCkGA1UdEQQiMCCCHnZjYXBw
cHJkcHNjLmN5dC5jb25jaGF5dG9yby5jbDAdBgNVHQ4EFgQU2KrlhwvzB9dNIbFB
HV8vka4ZEoQwHwYDVR0jBBgwFoAUKDE+vN0gyUrVW6utKc7t/bHFvP0wDQYJKoZI
hvcNAQELBQADggEBAC+gNpaPWFNAXc3boyhziJX4zd9YCJTVddilrRzCaJ4Kgr8s
kR9mKP5c1fDzZKsdEWVIKfoAyTcVgVwW5uYQbqngaJglSD8jsYwbVDEkQyQQ15tx
VHKRXKcB4ujB8MF48D/R7syRAjojqV8kJk/TOnzLTSO7atiH2VcL0jJAgY9G//pO
dTN3fjd1BOSw9BjknCeCfiOFBxTALWYM0fMzvxx3mlkMyowFntzF4bhQo/kS0QiK
MStDpT/RLIUfh0MHwPzrhl1saumpvDy06LFO5C4B/ms3VfDr4pJuICdfQxvFU23E
dMngxvcuYsJxflwvkcEbyxuSvNywicGxY0stZnY=
-----END CERTIFICATE-----
subject=/CN=psc-01.example.com/C=US
issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc-01.example.com/OU=VMware Engineering
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1469 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: B1BCCCAA8CF4244D1F84A751EF621AFF07730276988A6033DBF828D8B0C9F441A39B1FA64F8059E545BE0179918EA0B4
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1512420236
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
I found the solution.
The problem happens that the update to 6.5U1 does not copy the new certifying entities in the /etc/ssl/certs location, compares the number of certificates with a new 6.5U1 vicenter and 12 certificates were missing, this I guess is a BUG of the upgrade.
After copying the remaining certificates the problem disappeared.
these are the lost certificates
/etc/ssl/certs/5e03e64c.0
/etc/ssl/certs/5e03e64c.r0
/etc/ssl/certs/6bfe6153.0
/etc/ssl/certs/6bfe6153.r0
/etc/ssl/certs/7d801d2d.0
/etc/ssl/certs/7d801d2d.r0
/etc/ssl/certs/c5214e96.0
/etc/ssl/certs/c5214e96.r0
/etc/ssl/certs/dfda8db2.0
/etc/ssl/certs/dfda8db2.r0
/etc/ssl/certs/e65bea3e.0
/etc/ssl/certs/e65bea3e.r0
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 41DE589E24BD87140C47DD97DB1233BF770D5EE636594F5AD26C24D38F295D7A8683CBB797D6F5CE9AFBBF8A21C93A6C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1512564521
Timeout : 300 (sec)
Verify return code: 0 (ok)
I found the solution.
The problem happens that the update to 6.5U1 does not copy the new certifying entities in the /etc/ssl/certs location, compares the number of certificates with a new 6.5U1 vicenter and 12 certificates were missing, this I guess is a BUG of the upgrade.
After copying the remaining certificates the problem disappeared.
these are the lost certificates
/etc/ssl/certs/5e03e64c.0
/etc/ssl/certs/5e03e64c.r0
/etc/ssl/certs/6bfe6153.0
/etc/ssl/certs/6bfe6153.r0
/etc/ssl/certs/7d801d2d.0
/etc/ssl/certs/7d801d2d.r0
/etc/ssl/certs/c5214e96.0
/etc/ssl/certs/c5214e96.r0
/etc/ssl/certs/dfda8db2.0
/etc/ssl/certs/dfda8db2.r0
/etc/ssl/certs/e65bea3e.0
/etc/ssl/certs/e65bea3e.r0
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 41DE589E24BD87140C47DD97DB1233BF770D5EE636594F5AD26C24D38F295D7A8683CBB797D6F5CE9AFBBF8A21C93A6C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1512564521
Timeout : 300 (sec)
Verify return code: 0 (ok)
Hi dcisternas
I've got the same exact problem, forgive me for being a bit slow. I can see that you copied the missing certs to "/etc/ssl/certs/" (1) Where did you copy them from i.e the Ext PSC or vCenter? and from which folder? (2) Where did you copy them to i.e Ext PSC or vCenter?
Many thanks in advance
I'm in the same boat.
Do you have a walk through of what you did to fix it? My vCenter died, so I redeployed a new vCenter with the same name, which had issues within the PSC because it was the same name.
I deployed a new PSC with the same sso domain, but when trying to use cmsso-util repoint returns the same error as yours. Looking at the certs in /etc/ssl/certs dirs on both the vcsa & psc, there are a ton of them in there.
Thoughts?