VMware Cloud Community
rbjohnson78
Contributor
Contributor
‎04-06-2021 06:37 AM
Jump to solution

Certificate Management

Anyone ever come across this message when trying to import a cert into "Machine SSL Certificate" in vcenter 7: Error occurred while fetching tls: the trustAnchors parameter must be non-empty

Reply
28 Replies
hakanlund
Contributor
Contributor
‎06-28-2022 06:05 AM
Jump to solution

I found my self having this exact issue again and found another work around.
My guess is that vmware has an issue with the last cert in the chain,

subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3

So I tested replacing it with the ISRG ROOT X1 cert from: https://letsencrypt.org/certs/isrgrootx1.pem.txt
and that worked for me.

TLDR; remove the last cert in the the fullchain file and the chain file, add the cert from https://letsencrypt.org/certs/isrgrootx1.pem.txt at the end to both files.

Reply
tesfayea1
Contributor
Contributor
‎06-28-2022 08:15 AM
Jump to solution

Anny update on this, I have the same issue?

Reply
0 Kudos
tesfayea1
Contributor
Contributor
‎06-28-2022 08:17 AM
Jump to solution

Any update on this, I have the same issue?

Reply
0 Kudos
tesfayea1
Contributor
Contributor
‎06-28-2022 08:19 AM
Jump to solution

The LetsEncrypt fullchain.pem contains the site certificate and two other CA certificates.

Both the CA certificates show up in VCSA in the Trusted Root Certificates list (checked the hex signatures and dates).


Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C = US, O = Let's Encrypt, CN = R3

Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Validity
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1

I tried replacing the Machine SSL Cert with the LE cert for the site from this, along with the private key but the

form demands the chain be supplied for the submit button to work, and supplying both or either of the CA certs 

still results in the same error.

 

"Error occurred while fetching tls: the trustAnchors parameter must be non-empty"

Tags (9)
Reply
0 Kudos
rbjohnson78
Contributor
Contributor
‎06-28-2022 08:36 AM
Jump to solution

This is what I did for the full chain. Hopefully this helps. Took me a long time to figure this out.

Issue a new CSR...

  1. Open WinSCP
    1. Use SFTP file protocol
    2. FQDN for host name
    3. root for user name
  2. After login, navigate to the /tmp folder or the folder you chose when exporting the csr and key
  3. Copy the files below to a directory on your local PC
    1. vmca_issued_csr.csr
    2. vmca_issued_key.key
  4. Use the copied csr file to submit to the CA authority
  5. Generate the cert for Apache use
  6. Once the cert is generated, download the file type as
    1. A P7B bundle of all the certs in a .p7b file
  7. Open the bundle after download
  8. Right click each cert > all tasks > export
  9. Click next to get you to the format options
  10. Select Base-64 encoded x.509 (.CER)
  11. Browse to a folder to export the .cer files too
  12. Use the following naming convention for each cert to make it easier to identify
    1. Vcenterhostname.domain.com: MachineSSL.cer
    2. DigiCert Global Root CA: Root.cer
    3. DigiCert TLS RSA SHA256 2020: Intermediate.cer
      (Cert names should be similar depending on your CA)

Create the chain...

  1. Open the newly created Intermediate.cer file with notepad
  2. Highlight and Copy everything in the open doc
  3. Open the Root.cer file with notepad
  4. Paste the information from the Intermediate.cer file to the top of the root.cer file.
  5. Save the Root.cer file but don’t close it
  6.  Select and copy all text in the Root.cer
  7. Open the MachineCert.cer file with notepad
  8. Paste the copied text from Root.cer file to the bottom of the doc
  9. You will now have the full chain and three certs embedded
  10. Save the machineSSL.cer file
Reply
0 Kudos
iandekit
Contributor
Contributor
‎06-28-2022 08:29 PM
Jump to solution

Thanks people, but I'm hesitant to spend more time on testing possible solutions here.

Last test I ran effectively destroyed my 7.0.3 u3d VCSA but I didn't know that until a few weeks later when I rebooted; and VPXd wouldn't start anymore and config backups had cycled away by then.

I had to do a fresh install of u3e as the upgrade failed to work either.

I should have snapshotted it before testing.   Reboots take 15 minutes before its usable which is quite annoying.

 

Reply
0 Kudos
hakanlund
Contributor
Contributor
‎06-30-2022 06:00 AM
Jump to solution

I'm running two different vcenter servers and on the first one I can import Let's Encrypt certificates without any issues, on the second one I could not. On the second vcenter server I could import certificates if I replaced the last certificate in the chain as explained earlier.

How ever I found that the second vcenter server I had a trusted root certificate with ID 79B459E67BB6E5E40173800888C81A58F6E99B6E that was issued by DST Root CA X3 and valid until Sep 30, 2024. but on the first vcenter server the trusted root certificate with the same ID is issued by ISRG Root X1 and valid until June 4, 2035.
The cert on my first vcenter server is the same I used when replacing the cert in the chain, acquired from https://letsencrypt.org/certificates/https://letsencrypt.org/certs/isrgrootx1.pem

On the second vcenter server i followed this guide https://kb.vmware.com/s/article/2146011 on how to remove a certificate from the store, to remove the certificate with ID 79B459E67BB6E5E40173800888C81A58F6E99B6E and then through the UI I added the https://letsencrypt.org/certs/isrgrootx1.pem certificate to the Trusted Root Certificates.

After I hade replaced the trusted root certificate on the second vcenter server it also accepted Let's Encrypt certificates with out issue.

 

Reply
0 Kudos
TValis
Contributor
Contributor
‎10-30-2022 07:10 PM
Jump to solution

The answer provided by hakanlund resolved it for me. Here is how I implemented it.

In the GUI I selected to "Import and replace certificate" under the machine cert and chose the option to replace with external CA certificate(requires private key). When presented with the three boxes, I uploaded the following files provided by LetsEncrypt certbot:

Machine SSL Certificate:  cert.pem

Chain of trusted root certificates: chain.pem

Private Key:  privkey.pem

Then I opened isrgrootx1.pem with a text editor and copied all to the clipboard and then in the box for the Chain of trusted root certificates I scrolled down to the end of the first cert and beginning of the next. I held shift while paging down and selected all of the second cert and deleted it and pasted the contents of my clipboard which contained the isrgrootx1.pem certificate.

I then clicked replace and it was successful.

 

Reply
0 Kudos
rcolliard
Contributor
Contributor
‎03-28-2023 12:43 AM
Jump to solution

Hi

Just to let you know that on my side it had to do with windows encoding. I did a "dos2unix" on my files and I was able to import everything without this annoying error about trusted anchor.

Raphael

 

Reply
0 Kudos