vCenter 6.5 Installation with F5 PSC LB - Self signed certs as per KB 2147018

Any help appreciated.

VMware Knowledge Base

pastedImage_0.png

------------------------------------------------------------------------- Follow me @ www.vmwareguruz.com Please consider marking this answer "correct" or "helpful" if you found it useful T. Sateesh VCIX-NV, VCAP 5-DCA/DCD,VCP 6-NV,VCP 5 DCV/Cloud/DT, ZCP IBM India Pvt. Ltd
0 Kudos
9 Replies
daphnissov
Immortal
Immortal

Can you give us some context here? More information to go on than just a single error message in a screenshot?

0 Kudos

We are in the process to setup new vCenter 6.5 for our Pre-prod

2 PSC Appliances deployed and configured under F5 Load balancer

I'm trying to install vCenter server using the VIP of PSC and got this error message.

------------------------------------------------------------------------- Follow me @ www.vmwareguruz.com Please consider marking this answer "correct" or "helpful" if you found it useful T. Sateesh VCIX-NV, VCAP 5-DCA/DCD,VCP 6-NV,VCP 5 DCV/Cloud/DT, ZCP IBM India Pvt. Ltd
0 Kudos
daphnissov
Immortal
Immortal

What does your certificate look like that you've assigned to your PSCs?

0 Kudos

Please find the certificate details from PSC (both have same details)

data removed to avoid compliance issues

------------------------------------------------------------------------- Follow me @ www.vmwareguruz.com Please consider marking this answer "correct" or "helpful" if you found it useful T. Sateesh VCIX-NV, VCAP 5-DCA/DCD,VCP 6-NV,VCP 5 DCV/Cloud/DT, ZCP IBM India Pvt. Ltd
0 Kudos
daphnissov
Immortal
Immortal

That's not enough detail to know. You need to have the VIP FQDN as the common name, and all the names including real nodes in the SAN. Do you have that?

0 Kudos

Thanks for your efforts to analyze this issue:

VIP FQDN as the common name, and all the names including real nodes in the SAN - yes we used VIP FQDN

can you help me to clarify real nodes in the SAN???

------------------------------------------------------------------------- Follow me @ www.vmwareguruz.com Please consider marking this answer "correct" or "helpful" if you found it useful T. Sateesh VCIX-NV, VCAP 5-DCA/DCD,VCP 6-NV,VCP 5 DCV/Cloud/DT, ZCP IBM India Pvt. Ltd
0 Kudos
daphnissov
Immortal
Immortal

In the Subject Alternative Name (SAN) feature of the certificate, you must list the hostnames of the real nodes as well. This is stated in KB 2147627 so be sure to follow that guide. You also want to ensure you're following the guide on proper F5 configuration guidelines for the PSC VIP.

We followed the given KB's and going to open a case with VMware support

------------------------------------------------------------------------- Follow me @ www.vmwareguruz.com Please consider marking this answer "correct" or "helpful" if you found it useful T. Sateesh VCIX-NV, VCAP 5-DCA/DCD,VCP 6-NV,VCP 5 DCV/Cloud/DT, ZCP IBM India Pvt. Ltd
0 Kudos

VMware GSS response:  if you are following this post

Looking at the logs provided, it appears that vCenter is failing to properly authenticate to the vmdir service on the PSCs.  We see this in the vmdird-syslog logs on PSC1 which was primary at the time:

17-12-28T04:08:36.194990+00:00 err vmdird  t@140310692730624: VmDirSendLdapResult: Request (Add), Error (68), Message (BEEntryAdd (9706)((MDB_KEYEXIST: Key/data pair already exists)(cn=host/XXXXXXXXXXXX@vsphere.local,cn=managed service accounts,dc=vsphere,dc=local))), (0) socket (10.61.246.252)

17-12-28T04:08:36.471750+00:00 err vmdird  t@140310692730624: SASLSessionStep: sasl error (-13)(SASL(-13): authentication failure: client evidence does not match what we calculated. Probably a password error)

17-12-28T04:08:36.472451+00:00 err vmdird  t@140310692730624: VmDirSendLdapResult: Request (Bind), Error (49), Message ((49)(SASL step failed.)), (0) socket (10.61.246.252)

17-12-28T04:08:36.472695+00:00 err vmdird  t@140310692730624: Bind Request Failed (10.61.246.252) error 49: Protocol version: 3, Bind DN:

dc=vsphere,dc=local", Method: SASL

This is telling us a few things, we are attempting to add an account entry for vcenter, but it already exists in the vmdir database when it shouldn't if this is a brand new deployment.  We are failing to authenticate because the password being presented for this account is different, so we cannot fully bind to the PSC to complete the installation.


Is this the first time this vCenter has been attempted to be joined to these PSCs or have there been attempts in the past, either to the vip or to the individual PSCs, with varying success?

------------------------------------------------------------------------- Follow me @ www.vmwareguruz.com Please consider marking this answer "correct" or "helpful" if you found it useful T. Sateesh VCIX-NV, VCAP 5-DCA/DCD,VCP 6-NV,VCP 5 DCV/Cloud/DT, ZCP IBM India Pvt. Ltd
0 Kudos