Hello,
we are using some scripts to query vcenter 5.5. We have issue on validating the vcenter (windows based) certificate.
Same effect/error is also shown using wget application: "cannot verify certificate" issue:
wget https://mic-vc-sdn.cisco.com
root@abuzzi-ubuntu:/home/cisco# wget https://mic-vc-sdn.cisco.com
--2015-10-06 21:13:56-- https://mic-vc-sdn.cisco.com/
Resolving mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)... 10.58.6.200
Connecting to mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)|10.58.6.200|:443... connected.
ERROR: cannot verify mic-vc-sdn.cisco.com's certificate, issued by '/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=mic-vc-sdn.cisco.com/emailAddress=support@vmware.com':
Unable to locally verify the issuer's authority.
To connect to mic-vc-sdn.cisco.com insecurely, use `--no-check-certificate'.
root@abuzzi-ubuntu:/home/cisco#
If I try to ask vcenter all about certificates, I get:
root@abuzzi-ubuntu:/home/cisco# openssl s_client -connect mic-vc-sdn.cisco.com:443 -debug
CONNECTED(00000003)
...
depth=0 O = "VMware, Inc.", OU = vCenterServer_2014.10.22_210909, CN = VMware default certificate, emailAddress = support@vmware.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = "VMware, Inc.", OU = vCenterServer_2014.10.22_210909, CN = VMware default certificate, emailAddress = support@vmware.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 O = "VMware, Inc.", OU = vCenterServer_2014.10.22_210909, CN = VMware default certificate, emailAddress = support@vmware.com
verify error:num=21:unable to verify the first certificate
verify return:1
...
---
Certificate chain
0 s:/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=VMware default certificate/emailAddress=support@vmware.com
i:/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=mic-vc-sdn.cisco.com/emailAddress=support@vmware.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID5zCCAs+gAwIBAgIDEAACMA0GCSqGSIb3DQEBCwUAMIGDMRUwEwYDVQQKDAxW
...
p7tAAiMXFTeZhTqJj+Auo2AtmHTtgPwTHh0AmfUjstKmsGUqnLK+qqd4tA==
-----END CERTIFICATE-----
subject=/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=VMware default certificate/emailAddress=support@vmware.com
issuer=/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=mic-vc-sdn.cisco.com/emailAddress=support@vmware.com
---
No client certificate CA names sent
---
SSL handshake has read 1140 bytes and written 551 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: E973F03DB66E03C73D9768BCDFA05F50F1C0F0F008A7D5A322642911B0328D23E560093007552E7278860886FB48554C
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1444159085
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
From the vcenter I extracted what I think is the server signed certificate:
root@abuzzi-ubuntu:/usr/share/ca-certificates# openssl x509 -in server-mic-vc-sdn.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1048578 (0x100002)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=VMware, Inc., OU=vCenterServer_2014.10.22_210909, CN=mic-vc-sdn.cisco.com/emailAddress=support@vmware.com
Validity
Not Before: Oct 21 19:13:31 2014 GMT
Not After : Oct 19 19:13:31 2024 GMT
Subject: O=VMware, Inc., OU=vCenterServer_2014.10.22_210909, CN=VMware default certificate/emailAddress=support@vmware.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:91:d3:5c:72:f2:08:42:58:cb:3c:fc:af:5f:ce:
dc:3c:70:2c:2c:02:a0:fc:90:c2:cc:37:82:ea:48:
31:16:bf:cb:6f:66:09:31:e8:84:4f:e7:c5:68:bd:
1f:98:ab:15:6b:50:38:13:39:87:3a:76:8f:32:c4:
3c:f3:d5:ee:0b:1a:50:bb:97:41:86:18:e8:32:01:
3b:94:5e:57:38:b5:61:32:1f:5a:9e:a1:0e:a8:66:
52:23:ad:36:e0:01:1a:38:d8:aa:0e:90:44:07:d2:
37:43:4f:61:1e:89:27:cb:74:92:be:7b:46:d0:f9:
7e:c4:d4:92:b6:77:38:4a:63:63:8f:a4:5e:28:83:
1e:ec:c4:53:47:0d:00:bf:5f:50:46:f6:cf:69:c5:
fc:c1:cb:0e:a5:69:41:19:1d:23:1a:22:e0:04:cf:
58:37:e6:c5:2a:a9:34:83:12:7c:f4:3f:db:2a:11:
10:07:e0:0b:ad:e7:40:88:5f:5a:ff:2d:2d:6e:6e:
91:77:3b:fc:8b:8b:61:d0:80:c2:03:12:46:bd:f0:
3c:4a:7e:4d:e1:01:23:a0:71:d1:f3:2a:07:f1:bb:
e4:29:d9:db:1f:2a:d6:c9:40:00:67:3a:bd:29:a2:
6b:90:7a:20:43:00:17:3c:14:ff:4e:9a:45:c7:87:
27:93
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Subject Alternative Name:
DNS:mic-vc-sdn.cisco.com, DNS:mic-vc-sdn
Signature Algorithm: sha256WithRSAEncryption
33:64:d6:23:20:01:47:96:5a:67:c4:15:e9:48:84:8f:09:95:
f7:a0:7e:05:03:cb:15:38:14:f5:d0:2a:25:47:8c:f3:ad:64:
b2:f0:cf:96:4c:15:0a:41:18:5e:f3:ef:ec:c1:8b:bb:96:5d:
af:f3:9c:47:9a:d2:e0:ff:c1:d5:8a:ef:45:9e:d1:b9:54:c2:
c0:44:5b:77:22:e6:0c:7d:bc:e5:b1:e4:a0:5d:86:ef:a4:cb:
02:88:5a:89:47:e5:b9:31:f2:b4:ce:ed:77:67:b6:11:bb:95:
33:af:c4:4b:58:75:b6:42:f7:51:37:97:54:d7:e9:e2:64:d5:
20:8b:ee:2a:79:70:8c:87:4b:27:f4:35:62:a7:d1:df:8c:17:
91:c6:30:e6:17:fb:7f:02:0a:40:56:b0:10:07:46:9a:a7:d3:
23:80:32:0e:e5:46:9f:4c:6d:54:80:c1:48:74:88:e1:bf:f2:
cb:a0:57:4c:96:8b:c9:5c:54:47:48:75:36:01:cb:d2:3c:f2:
1d:b6:34:a4:8a:57:74:97:45:f9:f9:e3:be:21:cc:a7:bb:40:
02:23:17:15:37:99:85:3a:89:8f:e0:2e:a3:60:2d:98:74:ed:
80:fc:13:1e:1d:00:99:f5:23:b2:d2:a6:b0:65:2a:9c:b2:be:
aa:a7:78:b4
root@abuzzi-ubuntu:/usr/share/ca-certificates#
and what I suppose is the ca-cert (?):
root@abuzzi-ubuntu:/usr/share/ca-certificates# openssl x509 -in ca-mic-vc-sdn.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 14946108354659487193 (0xcf6b3e5c55fa0dd9)
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=CA, CN=mic-vc-sdn, dc=vsphere,dc=local, C=US
Validity
Not Before: Oct 21 18:01:58 2014 GMT
Not After : Oct 18 18:01:58 2024 GMT
Subject: CN=CA, CN=mic-vc-sdn, dc=vsphere,dc=local, C=US
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c3:6d:8c:85:d9:f7:2a:49:b3:53:19:7c:9a:eb:
9c:21:a8:79:9a:b3:43:1a:95:58:8f:9e:9d:da:5e:
cf:b5:0e:e8:1d:45:ea:6c:6d:04:75:99:db:2e:9c:
92:97:8e:9a:49:16:5d:de:97:2a:9e:cf:1f:d0:02:
ed:8c:35:b4:41:92:60:78:14:25:14:f9:87:ff:01:
30:93:a9:f4:59:6e:2e:1f:af:24:c6:f6:d6:25:19:
fd:7d:3b:99:db:4b:18:e8:19:a9:30:a1:fb:6e:b9:
2e:aa:5f:43:23:26:95:37:b4:b8:51:cd:99:d8:e5:
f9:3b:a9:70:4b:9e:39:0a:e0:0f:5a:68:72:d9:b4:
54:63:5d:29:86:fe:39:c5:67:e6:8c:c4:b3:2e:e3:
72:38:bb:b1:b4:57:7c:75:0e:5c:25:81:cf:09:10:
3b:0a:aa:7f:7b:16:b8:70:92:8e:00:85:c8:7c:fa:
24:12:a7:9c:e8:12:84:1b:0f:4d:95:1d:c7:82:bd:
52:95:f2:e4:e0:d9:1f:cc:e5:5c:eb:1d:a2:54:3d:
64:32:8c:48:8a:76:c7:1f:20:e6:da:98:3b:f6:11:
de:e1:a6:4c:de:e6:f1:b0:3c:dd:c8:dc:f2:2b:af:
a5:0e:2e:a2:93:ab:9a:47:a6:45:52:d1:9a:f1:9e:
68:a1
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Certificate Sign
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
90:40:9c:67:ed:ca:d4:02:85:5e:14:d3:6e:e0:8c:d9:cc:48:
76:77:b7:e5:07:ab:fd:28:a1:01:fc:df:64:75:f1:c7:a3:fe:
81:6c:91:f6:6a:1b:c9:13:7a:3a:1e:06:85:99:c6:cb:f0:f7:
15:6e:0a:2d:1c:a2:19:02:3e:29:00:a1:b2:56:0b:85:34:a2:
2a:3f:79:93:25:2a:f9:72:78:33:f7:a5:f3:9c:d2:63:87:0a:
32:5b:b9:f5:93:56:e7:ff:ea:1b:81:60:73:51:81:2f:2f:2e:
87:df:91:5c:d4:af:a6:fc:1f:2e:1c:db:77:9a:b0:ba:b9:18:
b0:57:26:c5:30:48:8f:7f:19:61:c9:13:7b:f3:0a:0f:6e:d8:
a5:71:54:a3:e5:84:ec:76:39:ce:2e:e2:c3:68:5a:6f:23:1b:
a7:60:6b:1c:48:84:83:f3:62:59:b9:0c:4e:64:ef:5a:35:d5:
15:13:63:51:a6:74:db:e2:e8:2c:91:96:98:2b:70:99:07:71:
2e:3b:7a:68:bd:05:9e:00:75:3b:ff:28:5c:00:d1:80:5b:5e:
ab:c6:09:88:fc:47:13:a5:b0:33:f1:a0:af:7b:3f:3e:ac:d1:
e8:94:b1:36:7a:bc:c8:dd:95:b2:ba:b4:f6:e0:e7:81:c1:3c:
ec:47:04:55
root@abuzzi-ubuntu:/usr/share/ca-certificates#
However the two certificates doesn't seems to relate each other, indeed if I try to validate their relationship I get:
root@abuzzi-ubuntu:/usr/share/ca-certificates# openssl verify -verbose -CAfile ca-mic-vc-sdn.crt server-mic-vc-sdn.crt
server-mic-vc-sdn.crt: O = "VMware, Inc.", OU = vCenterServer_2014.10.22_210909, CN = VMware default certificate, emailAddress = support@vmware.com
error 20 at 0 depth lookup:unable to get local issuer certificate
root@abuzzi-ubuntu:/usr/share/ca-certificates#
So doubts I have is where I get the ca-root-certificate to put on client device to validate the certificated used by vcenter.
Any idea ?
Thx,
A.
Hello,
update:
I tried on a client Windows machine to import into MMC.exe/Certificate/Computer/TrustedRootCertificationAuthority the following:
C:\ProgramData\VMware\VMware VirtualCenter\SSL\cacert.pem
I'm able to https to vcenter without warning.
So now I know the cacert.pem is the correct one and I just have to figure out how to import in the ubuntu client.
Thx!
Hello,
same cacert.crt is valid for ubuntu as well:
cisco@abuzzi-ubuntu:~/aa$ ll
total 12
drwxrwxr-x 2 cisco cisco 4096 Oct 7 15:14 ./
drwxr-xr-x 18 cisco cisco 4096 Oct 7 14:53 ../
-rw-rw-r-- 1 cisco cisco 1627 Oct 7 14:50 cacert.crt
cisco@abuzzi-ubuntu:~/aa$
cisco@abuzzi-ubuntu:~/aa$ wget https://mic-vc-sdn.cisco.com
--2015-10-07 15:15:05-- https://mic-vc-sdn.cisco.com/
Resolving mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)... 10.58.6.200
Connecting to mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)|10.58.6.200|:443... connected.
ERROR: cannot verify mic-vc-sdn.cisco.com's certificate, issued by '/O=VMware, Inc./OU=vCenterServer_2014.10.22_210909/CN=mic-vc-sdn.cisco.com/emailAddress=support@vmware.com':
Unable to locally verify the issuer's authority.
To connect to mic-vc-sdn.cisco.com insecurely, use `--no-check-certificate'.
cisco@abuzzi-ubuntu:~/aa$
cisco@abuzzi-ubuntu:~/aa$
cisco@abuzzi-ubuntu:~/aa$ wget https://mic-vc-sdn.cisco.com --ca-certificate=cacert.crt
--2015-10-07 15:15:09-- https://mic-vc-sdn.cisco.com/
Resolving mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)... 10.58.6.200
Connecting to mic-vc-sdn.cisco.com (mic-vc-sdn.cisco.com)|10.58.6.200|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3514 (3.4K) [text/html]
Saving to: 'index.html'
100%[======================================================================================>] 3,514 --.-K/s in 0s
2015-10-07 15:15:09 (1.40 GB/s) - 'index.html' saved [3514/3514]