VMware Cloud Community
saunders
Contributor
Contributor
‎09-25-2015 03:36 PM

Vcenter 6 - Virtual Infrastructure Client cannot connect after Machine SSL certificate replacement

Good afternoon all,

I am troubleshooting a problem that is prevening the VIC from connecting to Vcenter after replacement of the machine SSL certificate with third party signed certificate.

  • Currently running Linux/Appliance VCSA appliance, with an external PSC. Vsphere 6, update 1.
  • The environment was working perfectly fine before the machine certificate replacement, using the out of the box self-signed certificates. (Could connect/login with both web client and VIC)
  • The environment works fine if I "roll back" to previous SSL certificate setup.
  • After the installation of the third party signed certificate, the certificate is successfully installed and the VMware Web Client accurately shows the new certificate. The Login to the web client works perfectly fine.
  • After the installation, the VIC times out when attempting to connect to VCenter.

Debugging Steps:

- Reviewed VIClient logs: all messages indicated timeout or no response from the VCenter.

- Reviewed the vcenter logs: /var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log and did not see any interesting/useful errors.

- Noted that the vsphere VAMI interface (https:/</hostname>:5480/login.html:) does not show the new, third party signed certificate and continues to show the original, self-signed certificate.

- Restarted all services on both the VCenter appliance and External PSC

- When logging into the web client, log messages appear in the External PSC Controller indicating a successful authentication. Log messages *do not* appear in the PSC when using the VIClient.

- Reviewed the SSO Domain certificate store and ensured that the root and intermediate CA certificates were in the domain and trusted.

- Checked the MOB (https://<hostname>/lookupservice/mob?moid=ServiceRegistration&method=List) and confirmed that the new cert was listed correctly for all services.

Any advice or help would be appreciated. I wanted to see if anybody had any ideas before I opened a support case with VMware.

0 Kudos
2 Replies
saunders
Contributor
Contributor
‎11-12-2015 03:24 PM

Good afternoon,

I wanted to circle back and and provide some updates to this issue. Through a little bit of diagnostic work with Wireshark, I confirmed that the VIClient was not timing out trying to connect to VCenter, but rather timing out trying to connect the pki certificate CRL server listed in the AIX field of the certificate. Since the VIClient was not able to download the CRL and verify that the certificate was valid, the login process would timeout.

To the best of my understanding, this process was not strictly enforced in the VI 5 Client days, so, VMware must have implemented stricter checking in the VI 6 Client and refuses to move forward without a valid CRL.

We are looking into the issues on why the VI Client cannot connect to the hosts listed in the AIX field of the VCenter cert, but when we put work arounds in place, the VIClient successfully connects.

Thanks

DyJohnnY
Enthusiast
Enthusiast
‎10-30-2017 05:28 AM

Hello,

I know this is an old thread, but we have the exact same issue in a disconnected enterprise network.

Could you detail a little about the workarounds you put in place for this issue ?

IonutN
0 Kudos