Re: When converting vCenter from Embedded to Exter...

moderatelo · ‎09-20-2017

I am trying to convert 2nd vCenter to External PSC so I can setup cross vCenter NSX and I am getting this "certificate verify failed". I installed certificate on my computer so now it is showing secure connection when I login to browser however I am still not able to run this command in vcenter CLI.

Both environments are vSphere 6.5 U1

root@Test-VC [ ~ ]# cmsso-util reconfigure --repoint-psc psc-01.example.com --username Administrator --domain-name example.com --passwd "example"

Validating Provided Configuration ...

Falied to open connection https://psc01.example.com:443/websso/ Error: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

Please check the configuration and retry

Finikiez · ‎09-20-2017

Hello!

Is it a copy\paste from your command line?

"--repoint-psc psc-01.example.com" and from the error "https://psc01.example.com:443/websso/" --- no dash between psc and 01.

Did you check your DNS and cert? Do they have correct names>

moderatelo · ‎09-22-2017

No DNS is not an issue here.

I was able to convert one vCenter to External PSC already it is when I try to do 2nd one it troughs that error.

Finikiez · ‎09-25-2017

Can you successfully open a certificate from URL https://psc01.example.com:443/websso/ ? Is it correct? is the name correct?

Also does't it have self-signed cert or cert from your CA?

moderatelo · ‎09-25-2017

Certificate appears to be correct, I even exported and installed it so now when I go to my vCenter or PSC it does not complaint about security.

Also cert seems to be from CA which is VMware by default.

alex_bax1 · ‎10-25-2017

Same issue here. Any luck?

moderatelo · ‎10-25-2017

No luck so far.

Have tech case open with VMware nut not much help either.

One of my vCenter's setup with different site name so according to VMware support there is no way to really combine those except by deploying 2nd PSC with the same site name.

Which I did but this 2nd PSC could not synchronize with original PSC, so I am back to square one. Will try to redeploy this PSC again at some point.

I suppose I could redeploy one of my vCenters with the same Site name then I am only guessing I should be ok with one PSC.

alex_bax1 · ‎10-31-2017

Thanks. My situation was a little different. I had a failed PSC (corrupt VMDK) and I was deploying a new one for that site.

After opening a support case it turns out that if you only have 1 PSC in a site, it it not possible to deploy another PSC in that same site if the original PSC for the site is not available. I was under the impression that it would re-sync everything it needs from another sites' PSC. This did seems to work fine and new PSC was showing no issues other than I was unable to re-point to it!

I had to resort to a restore of all all SSO domain PSC's from the same point in time. Which also requited a VCSA machine account password reset to g et teh vCenter talking to them again.

I will now deploy at least 2 PSC's per site from now on...

szilagyic · ‎11-30-2017

Any update on this? I'm having the exact same problem. I'm about to open a ticket on it but wanted to check.

dcisternas · ‎12-04-2017

I have the same problem here, i see a lot people have the same issue , i upgrade from 6.0U3 to 6.5U1 in my client , and now need tu migrate the psc for deplyment enhanced mode , today i open a ticket , any one have a solution?

Thanks

dcisternas · ‎12-04-2017

root@vcapp [ /usr/lib/vmware-vmca/bin ]# openssl s_client -showcerts -connect vcappprdpsc.cyt.???.cl:443

CONNECTED(00000003)

depth=0 CN = vcappprdpsc.cyt.???.cl, C = US

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = vcappprdpsc.cyt.???.cl, C = US

verify error:num=21:unable to verify the first certificate

verify return:1

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : ECDHE-RSA-AES256-GCM-SHA384

Session-ID:

Session-ID-ctx:

Master-Key: DEA295C58B45E365DD1AAD25725771CE09E2961907D4786023D3DA7807F1CF0C483D48B69707ABBEEFBC24B712FBA812

Key-Arg : None

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1512396787

Timeout : 300 (sec)

Verify return code: 21 (unable to verify the first certificate)

dcisternas · ‎12-06-2017

I found the solution.

The problem happens that the update to 6.5U1 does not copy the new certifying entities in the /etc/ssl/certs location, compares the number of certificates with a new 6.5U1 vicenter and 12 certificates were missing, this I guess is a BUG of the upgrade.

After copying the remaining certificates the problem disappeared.

these are the lost certificates

/etc/ssl/certs/5e03e64c.0

/etc/ssl/certs/5e03e64c.r0

/etc/ssl/certs/6bfe6153.0

/etc/ssl/certs/6bfe6153.r0

/etc/ssl/certs/7d801d2d.0

/etc/ssl/certs/7d801d2d.r0

/etc/ssl/certs/c5214e96.0

/etc/ssl/certs/c5214e96.r0

/etc/ssl/certs/dfda8db2.0

/etc/ssl/certs/dfda8db2.r0

/etc/ssl/certs/e65bea3e.0

/etc/ssl/certs/e65bea3e.r0