I am trying to convert 2nd vCenter to External PSC so I can setup cross vCenter NSX and I am getting this "certificate verify failed". I installed certificate on my computer so now it is showing secure connection when I login to browser however I am still not able to run this command in vcenter CLI.
Both environments are vSphere 6.5 U1
root@Test-VC [ ~ ]# cmsso-util reconfigure --repoint-psc psc-01.example.com --username Administrator --domain-name example.com --passwd "example"
Validating Provided Configuration ...
Falied to open connection https://psc01.example.com:443/websso/ Error: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>
Please check the configuration and retry
Hello!
Is it a copy\paste from your command line?
"--repoint-psc psc-01.example.com" and from the error "https://psc01.example.com:443/websso/" --- no dash between psc and 01.
Did you check your DNS and cert? Do they have correct names>
No DNS is not an issue here.
I was able to convert one vCenter to External PSC already it is when I try to do 2nd one it troughs that error.
Can you successfully open a certificate from URL https://psc01.example.com:443/websso/ ? Is it correct? is the name correct?
Also does't it have self-signed cert or cert from your CA?
Certificate appears to be correct, I even exported and installed it so now when I go to my vCenter or PSC it does not complaint about security.
Also cert seems to be from CA which is VMware by default.
Same issue here. Any luck?
No luck so far.
Have tech case open with VMware nut not much help either.
One of my vCenter's setup with different site name so according to VMware support there is no way to really combine those except by deploying 2nd PSC with the same site name.
Which I did but this 2nd PSC could not synchronize with original PSC, so I am back to square one. Will try to redeploy this PSC again at some point.
I suppose I could redeploy one of my vCenters with the same Site name then I am only guessing I should be ok with one PSC.
Thanks. My situation was a little different. I had a failed PSC (corrupt VMDK) and I was deploying a new one for that site.
After opening a support case it turns out that if you only have 1 PSC in a site, it it not possible to deploy another PSC in that same site if the original PSC for the site is not available. I was under the impression that it would re-sync everything it needs from another sites' PSC. This did seems to work fine and new PSC was showing no issues other than I was unable to re-point to it!
I had to resort to a restore of all all SSO domain PSC's from the same point in time. Which also requited a VCSA machine account password reset to g et teh vCenter talking to them again.
I will now deploy at least 2 PSC's per site from now on...
Any update on this? I'm having the exact same problem. I'm about to open a ticket on it but wanted to check.
I have the same problem here, i see a lot people have the same issue , i upgrade from 6.0U3 to 6.5U1 in my client , and now need tu migrate the psc for deplyment enhanced mode , today i open a ticket , any one have a solution?
Thanks
root@vcapp [ /usr/lib/vmware-vmca/bin ]# openssl s_client -showcerts -connect vcappprdpsc.cyt.???.cl:443
CONNECTED(00000003)
depth=0 CN = vcappprdpsc.cyt.???.cl, C = US
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = vcappprdpsc.cyt.???.cl, C = US
verify error:num=21:unable to verify the first certificate
verify return:1
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: DEA295C58B45E365DD1AAD25725771CE09E2961907D4786023D3DA7807F1CF0C483D48B69707ABBEEFBC24B712FBA812
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1512396787
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
I found the solution.
The problem happens that the update to 6.5U1 does not copy the new certifying entities in the /etc/ssl/certs location, compares the number of certificates with a new 6.5U1 vicenter and 12 certificates were missing, this I guess is a BUG of the upgrade.
After copying the remaining certificates the problem disappeared.
these are the lost certificates
/etc/ssl/certs/5e03e64c.0
/etc/ssl/certs/5e03e64c.r0
/etc/ssl/certs/6bfe6153.0
/etc/ssl/certs/6bfe6153.r0
/etc/ssl/certs/7d801d2d.0
/etc/ssl/certs/7d801d2d.r0
/etc/ssl/certs/c5214e96.0
/etc/ssl/certs/c5214e96.r0
/etc/ssl/certs/dfda8db2.0
/etc/ssl/certs/dfda8db2.r0
/etc/ssl/certs/e65bea3e.0
/etc/ssl/certs/e65bea3e.r0
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 41DE589E24BD87140C47DD97DB1233BF770D5EE636594F5AD26C24D38F295D7A8683CBB797D6F5CE9AFBBF8A21C93A6C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1512564521
Timeout : 300 (sec)
Verify return code: 0 (ok)