VMware Cloud Community
sidharthasutar
Contributor
Contributor

Server certificate chain is not trusted and thumbprint doesn't match

Hello Everyone,

Please help me in getting following issue resolved.

Issue :

While downloading local plugin, I am getting thumbprint  error inside vsphere_client_virgo.log file . The link https://<IP:port>/scbr/xyz_bundle is accessable and getting downloaded when tried manually in browser. When I compared the  Fingerprints SHA-1 for server (in the browser) and the serverThumbprint for the local plugin extension in ExtensionManager , they are not matching. So I suspect this issue is due to this mismatch. I have other vcenter servers with same local plugin where download is happening without any issue because thumbprint is matching.

Question :

1. How do I set or change the serverThumbprint for the local plugin manually.

2. What could be the reason for this mismatch ?


Full Error log inside "/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log" is as below. 

[2021-03-10T06:46:03.144Z] [INFO ] vc-extensionmanager-pool-217 70000681 100029 200003 com.vmware.vise.vim.extension.VcExtensionManager Downloading plugin package from https://10.232.1.221:8144/scbr/scvm_webclient_deployment_bundle (no proxy defined)
[2021-03-10T06:46:03.167Z] [ERROR] vc-extensionmanager-pool-217 70000681 100029 200003 com.vmware.vise.vim.extension.PluginStatusTaskManager DOWNLOAD_FAILED: Error downloading plugin package com.netapp.scvm.webclient:4.4.1.5929278 from https://10.232.1.221:8144/scbr/scvm_webclient_deployment_bundle. 

Reason: Download error. Make sure that the URL is reachable and the thumbprint is correct. javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.jav...)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:352)
at com.vmware.vise.util.http.ConnectionManager.connect(ConnectionManager.java:298)
at com.vmware.vise.util.http.SimpleHttpClient.connect(SimpleHttpClient.java:354)
at com.vmware.vise.util.http.SimpleHttpClient.connect(SimpleHttpClient.java:324)
at com.vmware.vise.util.http.SimpleHttpClient.executeMethodResponseAsStream(SimpleHttpClient.java:222)
at com.vmware.vise.vim.extension.VcExtensionManager.writePackageToFile(VcExtensionManager.java:1320)
at com.vmware.vise.vim.extension.VcExtensionManager.downloadPackage(VcExtensionManager.java:1175)
at com.vmware.vise.vim.extension.VcExtensionManager$2.call(VcExtensionManager.java:793)
at com.vmware.vise.vim.extension.VcExtensionManager$2.call(VcExtensionManager.java:783)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at com.vmware.vise.util.concurrent.QueuingCachedThreadPool$QueueProcessor.run(QueuingCachedThreadPool.java:1229)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at com.vmware.vise.util.concurrent.WorkerThreadFactory$1.run(WorkerThreadFactory.java:64)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager.checkServerTrusted(ThumbprintTrustManager.java:224)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at com.vmware.vise.util.reflection.ProfilingInvocationHandler.invoke(ProfilingInvocationHandler.java:79)
at com.sun.proxy.$Proxy711.checkServerTrusted(Unknown Source)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1099)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 29 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:113)
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager.checkServerTrusted(ThumbprintTrustManager.java:209)
... 37 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 43 common frames omitted


Attached few screenshots .

local_plugin_extension_server_thumbprint.pngvcenter_fingerprint.png

Thanks,

Sidhartha

 

Tags (1)
Reply
0 Kudos
3 Replies
msripada
Virtuoso
Virtuoso

can you check if there is any proxy in between which is reflecting its own certificate instead of netapp plugin?

can you unregister the plugin and re-register it again so it should fetch proper cert during registration

thanks,

MS

 

Reply
0 Kudos
sidharthasutar
Contributor
Contributor

Thank you for the prompt response

1. can you check if there is any proxy in between which is reflecting its own certificate instead of netapp plugin?

We don't use any proxy server . 

2. can you unregister the plugin and re-register it again so it should fetch proper cert during registration

Tried unregister/register multiple times followed by restarting UI service using command "service-control --stop --start vsphere-ui". But no luck.

Is there any other approach/command which can clean up previous certificate  so that re-registration can fetch proper certificate Or any command to set/change the certificate manually post registration 

Reply
0 Kudos
msripada
Virtuoso
Virtuoso

The Type of the extension showing vsphere-client-serenity. I am unsure if there is any specific plugin for vsphere-ui or generalized for Flex and html.

Second - run the command below from vcsa ssh

Try running openssl s_client -connect 10.232.1.221:8144 and validate if the certificate is matching with the browser shown one

thanks,

MS

Reply
0 Kudos