moderatelo
Contributor
Contributor

When converting vCenter from Embedded to External PSC receive an SSL error "certificate verify failed (_ssl.c:661)"

I am trying to convert 2nd vCenter to External PSC so I can setup cross vCenter NSX and I am getting this "certificate verify failed". I installed certificate on my computer so now it is showing secure connection when I login to browser however I am still not able to run this command in vcenter CLI.

Both environments are vSphere 6.5 U1

root@Test-VC [ ~ ]# cmsso-util reconfigure --repoint-psc psc-01.example.com --username Administrator --domain-name example.com --passwd "example"

Validating Provided Configuration ...

Falied to open connection https://psc01.example.com:443/websso/ Error: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

Please check the configuration and retry

0 Kudos
11 Replies
Finikiez
Champion
Champion

Hello!

Is it a copy\paste from your command line?

"--repoint-psc psc-01.example.com" and from the error "https://psc01.example.com:443/websso/​" --- no dash between psc and 01.

Did you check your DNS and cert? Do they have correct names>

0 Kudos
moderatelo
Contributor
Contributor

No DNS is not an issue here.

I was able to convert one vCenter to External PSC already it is when I try to do 2nd one it troughs that error.

0 Kudos
Finikiez
Champion
Champion

Can you successfully open a certificate from URL https://psc01.example.com:443/websso/ ? Is it correct? is the name correct?

Also does't it have self-signed cert or cert from your CA?

0 Kudos
moderatelo
Contributor
Contributor

Certificate appears to be correct, I even exported and installed it so now when I go to my vCenter or PSC it does not complaint about security.

Also cert seems to be from CA which is VMware by default.

0 Kudos
alex_bax1
Enthusiast
Enthusiast

Same issue here. Any luck?

0 Kudos
moderatelo
Contributor
Contributor

No luck so far.

Have tech case open with VMware nut not much help either.

One of my vCenter's setup with different site name so according to VMware support there is no way to really combine those except by deploying 2nd PSC with the same site name.

Which I did but this 2nd PSC could not synchronize with original PSC, so I am back to square one. Will try to redeploy this PSC again at some point.

I suppose I could redeploy one of my vCenters with the same Site name then I am only guessing I should be ok with one PSC.

alex_bax1
Enthusiast
Enthusiast

Thanks. My situation was a little different. I had a failed PSC (corrupt VMDK) and I was deploying a new one for that site.

After opening a support case it turns out that if you only have 1 PSC in a site, it it not possible to deploy another PSC in that same site if the original PSC for the site is not available. I was under the impression that it would re-sync everything it needs from another sites' PSC. This did seems to work fine and new PSC was showing no issues other than I was unable to re-point to it!

I had to resort to a restore of all all SSO domain PSC's from the same point in time. Which also requited a VCSA machine account password reset to g et teh vCenter talking to them again.

I will now deploy at least 2 PSC's per site from now on...

0 Kudos
szilagyic
Hot Shot
Hot Shot

Any update on this?  I'm having the exact same problem.  I'm about to open a ticket on it but wanted to check.

0 Kudos
dcisternas
Contributor
Contributor

I have the same problem here, i see a lot people have the same issue , i upgrade from 6.0U3 to 6.5U1 in my client , and now need tu migrate the psc for deplyment enhanced mode , today i open a ticket , any one have a solution?

Thanks

0 Kudos
dcisternas
Contributor
Contributor

root@vcapp [ /usr/lib/vmware-vmca/bin ]# openssl s_client -showcerts -connect vcappprdpsc.cyt.???.cl:443

CONNECTED(00000003)

depth=0 CN = vcappprdpsc.cyt.???.cl, C = US

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = vcappprdpsc.cyt.???.cl, C = US

verify error:num=21:unable to verify the first certificate

verify return:1

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID:

    Session-ID-ctx:

    Master-Key: DEA295C58B45E365DD1AAD25725771CE09E2961907D4786023D3DA7807F1CF0C483D48B69707ABBEEFBC24B712FBA812

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1512396787

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

0 Kudos
dcisternas
Contributor
Contributor

I found the solution.

The problem happens that the update to 6.5U1 does not copy the new certifying entities in the /etc/ssl/certs location, compares the number of certificates with a new 6.5U1 vicenter and 12 certificates were missing, this I guess is a BUG of the upgrade.

After copying the remaining certificates the problem disappeared.

these are the lost certificates

/etc/ssl/certs/5e03e64c.0

/etc/ssl/certs/5e03e64c.r0

/etc/ssl/certs/6bfe6153.0

/etc/ssl/certs/6bfe6153.r0

/etc/ssl/certs/7d801d2d.0

/etc/ssl/certs/7d801d2d.r0

/etc/ssl/certs/c5214e96.0

/etc/ssl/certs/c5214e96.r0

/etc/ssl/certs/dfda8db2.0

/etc/ssl/certs/dfda8db2.r0

/etc/ssl/certs/e65bea3e.0

/etc/ssl/certs/e65bea3e.r0

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID:

    Session-ID-ctx:

    Master-Key: 41DE589E24BD87140C47DD97DB1233BF770D5EE636594F5AD26C24D38F295D7A8683CBB797D6F5CE9AFBBF8A21C93A6C

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1512564521

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

0 Kudos