VMware Cloud Community
webuser2016
Contributor
Contributor

polling vcenter in SSL with no certificate errors

Hello,

we are using some scripts to query vcenter 5.5. We have issue on validating the vcenter (windows based) certificate.

Same effect/error is also shown using wget application: "cannot verify certificate" issue:

wget https://mic-vc-sdn.cisco.com

root@abuzzi-ubuntu:/home/cisco# wget https://mic-vc-sdn.cisco.com   
--2015-10-06 21:13:56--  https://mic-vc-sdn.cisco.com/
Resolving mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)... 10.58.6.200
Connecting to mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)|10.58.6.200|:443... connected.
ERROR: cannot verify mic-vc-sdn.cisco.com's certificate, issued by '/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=mic-vc-sdn.cisco.com/emailAddress=support@vmware.com':
  Unable to locally verify the issuer's authority.
To connect to mic-vc-sdn.cisco.com insecurely, use `--no-check-certificate'.
root@abuzzi-ubuntu:/home/cisco#

If I try to ask vcenter all about certificates, I get:

root@abuzzi-ubuntu:/home/cisco# openssl s_client -connect mic-vc-sdn.cisco.com:443 -debug

CONNECTED(00000003)

...

depth=0 O = "VMware, Inc.", OU = vCenterServer_2014.10.22_210909, CN = VMware default certificate, emailAddress = support@vmware.com

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 O = "VMware, Inc.", OU = vCenterServer_2014.10.22_210909, CN = VMware default certificate, emailAddress = support@vmware.com

verify error:num=27:certificate not trusted

verify return:1

depth=0 O = "VMware, Inc.", OU = vCenterServer_2014.10.22_210909, CN = VMware default certificate, emailAddress = support@vmware.com

verify error:num=21:unable to verify the first certificate

verify return:1

...

---

Certificate chain

0 s:/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=VMware default certificate/emailAddress=support@vmware.com

   i:/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=mic-vc-sdn.cisco.com/emailAddress=support@vmware.com

---

Server certificate

-----BEGIN CERTIFICATE-----

MIID5zCCAs+gAwIBAgIDEAACMA0GCSqGSIb3DQEBCwUAMIGDMRUwEwYDVQQKDAxW

...

p7tAAiMXFTeZhTqJj+Auo2AtmHTtgPwTHh0AmfUjstKmsGUqnLK+qqd4tA==

-----END CERTIFICATE-----

subject=/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=VMware default certificate/emailAddress=support@vmware.com

issuer=/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=mic-vc-sdn.cisco.com/emailAddress=support@vmware.com

---

No client certificate CA names sent

---

SSL handshake has read 1140 bytes and written 551 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

    Protocol  : TLSv1

    Cipher    : AES256-SHA

    Session-ID:

    Session-ID-ctx:

    Master-Key: E973F03DB66E03C73D9768BCDFA05F50F1C0F0F008A7D5A322642911B0328D23E560093007552E7278860886FB48554C

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1444159085

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

---

From the vcenter I extracted what I think is the server signed certificate:

root@abuzzi-ubuntu:/usr/share/ca-certificates# openssl x509 -in server-mic-vc-sdn.crt -text -noout             

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 1048578 (0x100002)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: O=VMware, Inc., OU=vCenterServer_2014.10.22_210909, CN=mic-vc-sdn.cisco.com/emailAddress=support@vmware.com

        Validity

            Not Before: Oct 21 19:13:31 2014 GMT

            Not After : Oct 19 19:13:31 2024 GMT

        Subject: O=VMware, Inc., OU=vCenterServer_2014.10.22_210909, CN=VMware default certificate/emailAddress=support@vmware.com

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:91:d3:5c:72:f2:08:42:58:cb:3c:fc:af:5f:ce:

                    dc:3c:70:2c:2c:02:a0:fc:90:c2:cc:37:82:ea:48:

                    31:16:bf:cb:6f:66:09:31:e8:84:4f:e7:c5:68:bd:

                    1f:98:ab:15:6b:50:38:13:39:87:3a:76:8f:32:c4:

                    3c:f3:d5:ee:0b:1a:50:bb:97:41:86:18:e8:32:01:

                    3b:94:5e:57:38:b5:61:32:1f:5a:9e:a1:0e:a8:66:

                    52:23:ad:36:e0:01:1a:38:d8:aa:0e:90:44:07:d2:

                    37:43:4f:61:1e:89:27:cb:74:92:be:7b:46:d0:f9:

                    7e:c4:d4:92:b6:77:38:4a:63:63:8f:a4:5e:28:83:

                    1e:ec:c4:53:47:0d:00:bf:5f:50:46:f6:cf:69:c5:

                    fc:c1:cb:0e:a5:69:41:19:1d:23:1a:22:e0:04:cf:

                    58:37:e6:c5:2a:a9:34:83:12:7c:f4:3f:db:2a:11:

                    10:07:e0:0b:ad:e7:40:88:5f:5a:ff:2d:2d:6e:6e:

                    91:77:3b:fc:8b:8b:61:d0:80:c2:03:12:46:bd:f0:

                    3c:4a:7e:4d:e1:01:23:a0:71:d1:f3:2a:07:f1:bb:

                    e4:29:d9:db:1f:2a:d6:c9:40:00:67:3a:bd:29:a2:

                    6b:90:7a:20:43:00:17:3c:14:ff:4e:9a:45:c7:87:

                    27:93

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Extended Key Usage:

                TLS Web Server Authentication

            X509v3 Basic Constraints:

                CA:FALSE

            X509v3 Key Usage:

                Digital Signature, Key Encipherment, Data Encipherment

            X509v3 Subject Alternative Name:

                DNS:mic-vc-sdn.cisco.com, DNS:mic-vc-sdn

    Signature Algorithm: sha256WithRSAEncryption

         33:64:d6:23:20:01:47:96:5a:67:c4:15:e9:48:84:8f:09:95:

         f7:a0:7e:05:03:cb:15:38:14:f5:d0:2a:25:47:8c:f3:ad:64:

         b2:f0:cf:96:4c:15:0a:41:18:5e:f3:ef:ec:c1:8b:bb:96:5d:

         af:f3:9c:47:9a:d2:e0:ff:c1:d5:8a:ef:45:9e:d1:b9:54:c2:

         c0:44:5b:77:22:e6:0c:7d:bc:e5:b1:e4:a0:5d:86:ef:a4:cb:

         02:88:5a:89:47:e5:b9:31:f2:b4:ce:ed:77:67:b6:11:bb:95:

         33:af:c4:4b:58:75:b6:42:f7:51:37:97:54:d7:e9:e2:64:d5:

         20:8b:ee:2a:79:70:8c:87:4b:27:f4:35:62:a7:d1:df:8c:17:

         91:c6:30:e6:17:fb:7f:02:0a:40:56:b0:10:07:46:9a:a7:d3:

         23:80:32:0e:e5:46:9f:4c:6d:54:80:c1:48:74:88:e1:bf:f2:

         cb:a0:57:4c:96:8b:c9:5c:54:47:48:75:36:01:cb:d2:3c:f2:

         1d:b6:34:a4:8a:57:74:97:45:f9:f9:e3:be:21:cc:a7:bb:40:

         02:23:17:15:37:99:85:3a:89:8f:e0:2e:a3:60:2d:98:74:ed:

         80:fc:13:1e:1d:00:99:f5:23:b2:d2:a6:b0:65:2a:9c:b2:be:

         aa:a7:78:b4

root@abuzzi-ubuntu:/usr/share/ca-certificates#

and what I suppose is the ca-cert (?):

root@abuzzi-ubuntu:/usr/share/ca-certificates# openssl x509 -in ca-mic-vc-sdn.crt -text -noout                    

Certificate:

    Data:

        Version: 3 (0x2)

        Serial Number: 14946108354659487193 (0xcf6b3e5c55fa0dd9)

    Signature Algorithm: sha256WithRSAEncryption

        Issuer: CN=CA, CN=mic-vc-sdn, dc=vsphere,dc=local, C=US

        Validity

            Not Before: Oct 21 18:01:58 2014 GMT

            Not After : Oct 18 18:01:58 2024 GMT

        Subject: CN=CA, CN=mic-vc-sdn, dc=vsphere,dc=local, C=US

        Subject Public Key Info:

            Public Key Algorithm: rsaEncryption

                Public-Key: (2048 bit)

                Modulus:

                    00:c3:6d:8c:85:d9:f7:2a:49:b3:53:19:7c:9a:eb:

                    9c:21:a8:79:9a:b3:43:1a:95:58:8f:9e:9d:da:5e:

                    cf:b5:0e:e8:1d:45:ea:6c:6d:04:75:99:db:2e:9c:

                    92:97:8e:9a:49:16:5d:de:97:2a:9e:cf:1f:d0:02:

                    ed:8c:35:b4:41:92:60:78:14:25:14:f9:87:ff:01:

                    30:93:a9:f4:59:6e:2e:1f:af:24:c6:f6:d6:25:19:

                    fd:7d:3b:99:db:4b:18:e8:19:a9:30:a1:fb:6e:b9:

                    2e:aa:5f:43:23:26:95:37:b4:b8:51:cd:99:d8:e5:

                    f9:3b:a9:70:4b:9e:39:0a:e0:0f:5a:68:72:d9:b4:

                    54:63:5d:29:86:fe:39:c5:67:e6:8c:c4:b3:2e:e3:

                    72:38:bb:b1:b4:57:7c:75:0e:5c:25:81:cf:09:10:

                    3b:0a:aa:7f:7b:16:b8:70:92:8e:00:85:c8:7c:fa:

                    24:12:a7:9c:e8:12:84:1b:0f:4d:95:1d:c7:82:bd:

                    52:95:f2:e4:e0:d9:1f:cc:e5:5c:eb:1d:a2:54:3d:

                    64:32:8c:48:8a:76:c7:1f:20:e6:da:98:3b:f6:11:

                    de:e1:a6:4c:de:e6:f1:b0:3c:dd:c8:dc:f2:2b:af:

                    a5:0e:2e:a2:93:ab:9a:47:a6:45:52:d1:9a:f1:9e:

                    68:a1

                Exponent: 65537 (0x10001)

        X509v3 extensions:

            X509v3 Key Usage: critical

                Certificate Sign

            X509v3 Basic Constraints: critical

                CA:TRUE

    Signature Algorithm: sha256WithRSAEncryption

         90:40:9c:67:ed:ca:d4:02:85:5e:14:d3:6e:e0:8c:d9:cc:48:

         76:77:b7:e5:07:ab:fd:28:a1:01:fc:df:64:75:f1:c7:a3:fe:

         81:6c:91:f6:6a:1b:c9:13:7a:3a:1e:06:85:99:c6:cb:f0:f7:

         15:6e:0a:2d:1c:a2:19:02:3e:29:00:a1:b2:56:0b:85:34:a2:

         2a:3f:79:93:25:2a:f9:72:78:33:f7:a5:f3:9c:d2:63:87:0a:

         32:5b:b9:f5:93:56:e7:ff:ea:1b:81:60:73:51:81:2f:2f:2e:

         87:df:91:5c:d4:af:a6:fc:1f:2e:1c:db:77:9a:b0:ba:b9:18:

         b0:57:26:c5:30:48:8f:7f:19:61:c9:13:7b:f3:0a:0f:6e:d8:

         a5:71:54:a3:e5:84:ec:76:39:ce:2e:e2:c3:68:5a:6f:23:1b:

         a7:60:6b:1c:48:84:83:f3:62:59:b9:0c:4e:64:ef:5a:35:d5:

         15:13:63:51:a6:74:db:e2:e8:2c:91:96:98:2b:70:99:07:71:

         2e:3b:7a:68:bd:05:9e:00:75:3b:ff:28:5c:00:d1:80:5b:5e:

         ab:c6:09:88:fc:47:13:a5:b0:33:f1:a0:af:7b:3f:3e:ac:d1:

         e8:94:b1:36:7a:bc:c8:dd:95:b2:ba:b4:f6:e0:e7:81:c1:3c:

         ec:47:04:55

root@abuzzi-ubuntu:/usr/share/ca-certificates#

However the two certificates doesn't seems to relate each other, indeed if I try to validate their relationship I get:

root@abuzzi-ubuntu:/usr/share/ca-certificates# openssl verify -verbose -CAfile ca-mic-vc-sdn.crt server-mic-vc-sdn.crt

server-mic-vc-sdn.crt: O = "VMware, Inc.", OU = vCenterServer_2014.10.22_210909, CN = VMware default certificate, emailAddress = support@vmware.com

error 20 at 0 depth lookup:unable to get local issuer certificate

root@abuzzi-ubuntu:/usr/share/ca-certificates#

So doubts I have is where I get the ca-root-certificate to put on client device to validate the certificated used by vcenter.

Any idea ?

Thx,

A.

Reply
0 Kudos
2 Replies
webuser2016
Contributor
Contributor

Hello,

update:

I tried on a client Windows machine to import into MMC.exe/Certificate/Computer/TrustedRootCertificationAuthority the following:

C:\ProgramData\VMware\VMware VirtualCenter\SSL\cacert.pem

I'm able to https to vcenter without warning.

So now I know the cacert.pem is the correct one and I just have to figure out how to import in the ubuntu client.

Thx!

Reply
0 Kudos
webuser2016
Contributor
Contributor

Hello,

same cacert.crt is valid for ubuntu as well:

cisco@abuzzi-ubuntu:~/aa$ ll

total 12

drwxrwxr-x  2 cisco cisco 4096 Oct  7 15:14 ./

drwxr-xr-x 18 cisco cisco 4096 Oct  7 14:53 ../

-rw-rw-r--  1 cisco cisco 1627 Oct  7 14:50 cacert.crt

cisco@abuzzi-ubuntu:~/aa$

cisco@abuzzi-ubuntu:~/aa$ wget https://mic-vc-sdn.cisco.com

--2015-10-07 15:15:05--  https://mic-vc-sdn.cisco.com/

Resolving mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)... 10.58.6.200

Connecting to mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)|10.58.6.200|:443... connected.

ERROR: cannot verify mic-vc-sdn.cisco.com's certificate, issued by '/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=mic-vc-sdn.cisco.com/emailAddress=support@vmware.com':

  Unable to locally verify the issuer's authority.

To connect to mic-vc-sdn.cisco.com insecurely, use `--no-check-certificate'.

cisco@abuzzi-ubuntu:~/aa$

cisco@abuzzi-ubuntu:~/aa$

cisco@abuzzi-ubuntu:~/aa$ wget https://mic-vc-sdn.cisco.com --ca-certificate=cacert.crt

--2015-10-07 15:15:09--  https://mic-vc-sdn.cisco.com/

Resolving mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)... 10.58.6.200

Connecting to mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)|10.58.6.200|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 3514 (3.4K) [text/html]

Saving to: 'index.html'

100%[======================================================================================>] 3,514       --.-K/s   in 0s     

2015-10-07 15:15:09 (1.40 GB/s) - 'index.html' saved [3514/3514]


Reply
0 Kudos