Re: vCenter 6.0U1b VMCA - Machine SSL Install Fail...

LINCADMIN · ‎02-22-2016

We recently upgraded our vCenter from version 5.5 to 6.0 U1b (process went smoothly). We have the PSC running embedded on the Windows vCenter Server. We started running into troubles when trying to setup/configure certificate services (being secure and all, ya know). Here is a general item-level overview:

- Upgraded vCenter (everything working)

- Followed Derek Seaman's guide to setup the vCenter as a subordinate (VMCA certificate creation and install was successful

http://www.derekseaman.com/2015/04/vsphere-6-0-install-pt-11-vmca-as-subordinate.html

- Continuing to follow the guide, we attempted to generate and install the Machine SSL from the VMCA (failed upon starting the VMware Component Manager service)

- Investigated logs and opened support case with VMware

* CM log pointed to "Server certificate chain not verified"

- Attempted many different steps at this point (utilized snapshot of vCenter before certificate changes)

* reverting back to self-signed and running through process manually

* manually injecting root/chain certificate

* recreating VECS certificate stores

* generating and installing manually created custom CA certificates

We have escalated the VMware Support case and are still working with support, but wanted to check with the community to see if anyone else might've run into something similar or have any insight that could possibly point us in the correct direction.

Certificate Authority Services background (2 separate):

1. Current/Old certificate authority

a. This is a single root/issuing CA

b. SHA1 2048

2. New certificate Authority (one we are trying to utilize and work with)

a. Offline Root CA

b. Online Enterprise Subordinate/Issuing/Intermediate CA

c. Separate Web Enrollment server

Further troubleshooting steps taken to rule out miscellaneous pieces:

- Deployed a new vCenter VM

- Installed vCenter 6.0 U1b accordingly (took snapshot of course)

- Generated and Installed VMCA certificate from New CA (no issues)

- Generated and attempted install of Machine SSL certificate from VMCA (failed again with same "Server certificate chain not verified")

- Reverted to snapshot

- Generated and Installed VMCA certificate from Current/Old CA (no issues)

- Generated and Installed Machine SSL certificate from VMCA (successful)

I have compared CA permissions and attempted adding delegation for the new vCenter; no luck. It still seems to be something with the certificate chain (of course according to the error) but I can't figure it out.

Any help would be greatly appreciated!

vmEck · ‎02-22-2016

Take a look at the resources here that will walk you through the subordinate CA pieces. You have an additional CA you need to add to the chain of trust but that should be easy enough. Otherwise it should be a very similar walkthrough.

You can watch the youtube videos or hit the link to the feature walkthroughs site. The slide deck might also be helpful.

http://vmware.com/go/inf4529

LINCADMIN · ‎02-23-2016

I checked through the slides but didn't see anything pointing to the specific commands.

I will try and view the videos tomorrow and see if I find what I'm missing.

When you say that I need to add an additional CA to the chain, are you referring to manually creating the chain.cer file to include the Root, Intermediate, and VMCA/Machine certificate? If so, I have already done that. I've made sure to also add the --chain portion when attempting the manual process of installing the certificates.

vmEck · ‎02-23-2016

Take a look starting here > Product Walkthroughs

All

vCenter 6.0U1b VMCA - Machine SSL Install Failure due to "Server certificate chain not verified"