Anyone ever come across this message when trying to import a cert into "Machine SSL Certificate" in vcenter 7: Error occurred while fetching tls: the trustAnchors parameter must be non-empty
I found my self having this exact issue again and found another work around.
My guess is that vmware has an issue with the last cert in the chain,
subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1 issuer=O = Digital Signature Trust Co., CN = DST Root CA X3
So I tested replacing it with the ISRG ROOT X1 cert from: https://letsencrypt.org/certs/isrgrootx1.pem.txt
and that worked for me.
TLDR; remove the last cert in the the fullchain file and the chain file, add the cert from https://letsencrypt.org/certs/isrgrootx1.pem.txt at the end to both files.
Anny update on this, I have the same issue?
Any update on this, I have the same issue?
The LetsEncrypt fullchain.pem contains the site certificate and two other CA certificates.
Both the CA certificates show up in VCSA in the Trusted Root Certificates list (checked the hex signatures and dates).
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
Subject: C = US, O = Let's Encrypt, CN = R3
Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3
Not Before: Jan 20 19:14:03 2021 GMT
Not After : Sep 30 18:14:03 2024 GMT
Subject: C = US, O = Internet Security Research Group, CN = ISRG Root X1
I tried replacing the Machine SSL Cert with the LE cert for the site from this, along with the private key but the
form demands the chain be supplied for the submit button to work, and supplying both or either of the CA certs
still results in the same error.
"Error occurred while fetching tls: the trustAnchors parameter must be non-empty"
This is what I did for the full chain. Hopefully this helps. Took me a long time to figure this out.
Issue a new CSR...
Create the chain...
Thanks people, but I'm hesitant to spend more time on testing possible solutions here.
Last test I ran effectively destroyed my 7.0.3 u3d VCSA but I didn't know that until a few weeks later when I rebooted; and VPXd wouldn't start anymore and config backups had cycled away by then.
I had to do a fresh install of u3e as the upgrade failed to work either.
I should have snapshotted it before testing. Reboots take 15 minutes before its usable which is quite annoying.
I'm running two different vcenter servers and on the first one I can import Let's Encrypt certificates without any issues, on the second one I could not. On the second vcenter server I could import certificates if I replaced the last certificate in the chain as explained earlier.
How ever I found that the second vcenter server I had a trusted root certificate with ID 79B459E67BB6E5E40173800888C81A58F6E99B6E that was issued by DST Root CA X3 and valid until Sep 30, 2024. but on the first vcenter server the trusted root certificate with the same ID is issued by ISRG Root X1 and valid until June 4, 2035.
The cert on my first vcenter server is the same I used when replacing the cert in the chain, acquired from https://letsencrypt.org/certificates/, https://letsencrypt.org/certs/isrgrootx1.pem
On the second vcenter server i followed this guide https://kb.vmware.com/s/article/2146011 on how to remove a certificate from the store, to remove the certificate with ID 79B459E67BB6E5E40173800888C81A58F6E99B6E and then through the UI I added the https://letsencrypt.org/certs/isrgrootx1.pem certificate to the Trusted Root Certificates.
After I hade replaced the trusted root certificate on the second vcenter server it also accepted Let's Encrypt certificates with out issue.
The answer provided by hakanlund resolved it for me. Here is how I implemented it.
In the GUI I selected to "Import and replace certificate" under the machine cert and chose the option to replace with external CA certificate(requires private key). When presented with the three boxes, I uploaded the following files provided by LetsEncrypt certbot:
Machine SSL Certificate: cert.pem
Chain of trusted root certificates: chain.pem
Private Key: privkey.pem
Then I opened isrgrootx1.pem with a text editor and copied all to the clipboard and then in the box for the Chain of trusted root certificates I scrolled down to the end of the first cert and beginning of the next. I held shift while paging down and selected all of the second cert and deleted it and pasted the contents of my clipboard which contained the isrgrootx1.pem certificate.
I then clicked replace and it was successful.
Just to let you know that on my side it had to do with windows encoding. I did a "dos2unix" on my files and I was able to import everything without this annoying error about trusted anchor.