valot
Enthusiast
Enthusiast

VMware replication failed to register after certificat renew

Hi all,

After a nenew of all certificats on our infrastructure, the VMware replication appliance failed to register ==>

I pointed the VR (6.5.1.4) on the lookup service https address of the external PSC (6.5), I accepted the certificat and I had the following message ==>

"Unable to obtain SSL certificate: The vCenter xxx is not correctly registered in LookupService"

Any idea on "how to correctly registered the vcenter on the lookupService ?

Thanks for help

0 Kudos
5 Replies
ashilkrishnan
VMware Employee
VMware Employee

Hi @valot ,

Primary suspect in this scenario would be SSL trust anchor mismatch on PSC-vCenter certificates.

1. Try to perform a save and restart on VR VAMI and share a copy of hms logs from replication appliance. Log location:  /opt/vmware/hms/logs 

2. Run these 2 commands on PSC and share the outputs:

/usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso 2>/dev/null

echo | openssl s_client -connect localhost:443

 

0 Kudos
valot
Enthusiast
Enthusiast

Tks for answer

1/ impossible to xfert the files

2/

/usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso 2>/dev/null

Spoiler
Service Product: com.vmware.cis
Service Type: cs.identity
Service ID: 56dd5ef7-115d-457a-8e8a-54d18e4a8741
Site ID: cndssti
Owner ID: xxx@xxx.local
Version: 2.0
Endpoints:
Type: com.vmware.cis.cs.identity.sso
Protocol: wsTrust
URL: https://xxx/sts/STSService/ivm.local
SSL trust: MIID9TCCAt2gAwIBAgIJANagEgrNS4Z7MA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAkZSMQwwCgYDVQQIEwNDUFYxETAPBgNVBAcTCFZhbGJvbm5lMQwwCgYDVQQKEwNJVk0xDTALBgNVBAsTBFBST0QxEDAOBgNVBAMTB1ZNQ0FDUFYwHhcNMTkwMTE3MTUyODMxWhcNMjEwMTE2MTUyODMxWjBxMSQwIgYDVQQDDBtwcmQ5NzBhZXN4MTEwLmlsYy5laWMuaW50cmExCzAJBgNVBAYTAkZSMQwwCgYDVQQIDANDUFYxETAPBgNVBAcMCFZhbGJvbm5lMQwwCgYDVQQKDANJVk0xDTALBgNVBAsMBFBST0QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4Z6QXnf0S/7nfACUQpRQiLUX6osVRsbgtuMf4PnFIQTxtRun4Sfp441oIsP0R/624njtKiarirLsvu0LW/2435IlNiDTGayFOiNQ2QAsgEMbWghjn7iQ3rBvSu84JZc4ec59xDLuCWpszEFhULZYuiMsjfvVLDLZ5znRRV7QPn85QcsJeeFi7Ey4bt9Aqd+a4D8kLZ3gxZ2W0ZcD3/L8g3nYSyqVUa5eOpoTjvIMGCETPQQlwEMjSS9jM2AM/9l9LsvdaxtFQIgX2XjNYnAKGeZpgt5oBWjlFoKydkJemi4TkZpiOOmvaMI6N3qxTRtmiOMS63KEMoLwc31xPxAOhAgMBAAGjgaMwgaAwCwYDVR0PBAQDAgXgMFEGA1UdEQRKMEiBI2ZyZWRlcmljLnJvdWdlQHNlY3UtaW5kZXBlbmRhbnRzLmZyhwQKBwtughtwcmQ5NzBhZXN4MTEwLmlsYy5laWMuaW50cmEwHQYDVR0OBBYEFFjGHRQuumJo48kLG96JbekQoBe0MB8GA1UdIwQYMBaAFGz4vN2R7iwhmrHaO73JGHJXLf6wMA0GCSqGSIb3DQEBCwUAA4IBAQBvj5U9PSZJOt/47JMP7/3JOiVKnYo5YEVjwKq2F/XRcBNLtQnykUZrwut2gAW4c1A48JDIouFc4znrYvBXajs17JEIdIosHDsgK2+oXawY+OHmcE8MziDGJw9kX6Mh/LXzb2V5+Zb/+H7z2JJvyjHlwqq6ATR0K/NIHH9e3IN0I3oy3wyy0yplbnr5C5pPPYNcVc1r+S7U1bXRMxp5xCHCvorxPgsMXXNpw9BBVP3Tl/dIAOh/Yqaa07uE44NkN5xBvAcZz0lbExAxWjGnnrs0w4Pxyf9BI3sVK5KQ+TIguTUU4BhAUjV8U078oXJMfBKrlQxxGP1YnkUcmSelBMhA
-------------------------------------------------------
Service Product: com.vmware.cis
Service Type: cs.identity
Service ID: a33f7d42-1b7a-4b8a-8354-6010efc6fef5
Site ID: cndssti
Owner ID: yyy@xxx.local
Version: 2.0
Endpoints:
Type: com.vmware.cis.cs.identity.sso
Protocol: wsTrust
URL: https://yyy.ilc.eic.intra/sts/STSService/ivm.local
SSL trust: MIID8zCCAtugAwIBAgIJAMiOrd3ZXv6hMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNVBAYTAkZSMQwwCgYDVQQIEwNDUFQxETAPBgNVBAcTCFRvdWxvdXNlMQwwCgYDVQQKEwNJVk0xDTALBgNVBAsTBFBST0QxEDAOBgNVBAMTB1ZNQ0FDUFQwHhcNMjEwMTE5MTQwMzUzWhcNMjMwMTE5MTQwMzUzWjBxMSQwIgYDVQQDDBtwcmQ5NjBhZXN4MTEwLmlsYy5laWMuaW50cmExCzAJBgNVBAYTAkZSMQwwCgYDVQQIDANDUFQxETAPBgNVBAcMCFRvdWxvdXNlMQwwCgYDVQQKDANJVk0xDTALBgNVBAsMBFBST0QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB3k/ySqYqvg+SJvuxQCUfK/DAomZEnBjHICl6dryN4BKN+/SPIa+JWEYQLsgl1+oYUHo1phQUXpyRnlNOEs+SQ5ehgh0uecVY/UbIc3HcMZxb1oKvCFfQs8OgIjDINT2qPtyWMd3TXLsIq5BhBJ1acAIB5s5hhcqJ5KfvYwEzYpk79ePHMX/0rGXTUBh/vXKc3lgVa6t1fKoz34c4a0gp1geNyVJHFAYkkbpfqyJ3biS5HsFg2VsjxrIjs2h61VnwA7wvYQaXRQ/+IR4wsb3oZ/kKpEpeSA6HVscMAqmVBe+hINONrBpXqpLRXW3HKMpQws6j7cymTRdDTYoCSabvAgMBAAGjgaEwgZ4wCwYDVR0PBAQDAgXgME8GA1UdEQRIMEaBIW1jbwgICENQVEVUT0BzZWN1LWluZGVwZW5kYW50cy5mcocEClwFaYIbcHJkOTYwYWVzeDExMC5pbGMuZWljLmludHJhMB0GA1UdDgQWBBRrCJKSCP+/Mks41SmepNNOYr6QGjAfBgNVHSMEGDAWgBR2gcV1jc7KHUI62prOfTZzAxKUnDANBgkqhkiG9w0BAQsFAAOCAQEANcNK1hTqMzx2FNbXgiADVSASKHqskaFFlM9Onve+zrQ/me57NtT6EsfeKKvBU7zfSuKisv1sYw+1lfYoJt6/HzUVZCk5HiG+EXEL1CFFBA/+V90WMxBfvm+rdrrwUSpYLQltYvKyUhc6f6Q24cOOVQYsWX0a4uMK4cqWjb32hT5lCq6wVxsfl/pQ5t+Ae5MCkI9Di1ceJGbn0Y2Fclvyka7veOfstj//vxZOfBEiPiRsgNxpgX6Rk0l4cxjRiIERcMqUV04Htt7LOmvaukQx+Kvp9ztTgGC15aY56kzhNPCyTYALVEE5hjLHcG3ltY2DQ/WgX+gAAzXXMxS5zd3ikQ==

echo | openssl s_client -connect localhost:443

Spoiler
CONNECTED(00000003)
depth=2 DC = intra, DC = eic, CN = CERTRSI
verify return:1
depth=1 C = FR, ST = CPV, L = Valbonne, O = IVM, OU = PROD, CN = VMCACPV
verify return:1
depth=0 CN = xxx, C = FR, ST = CPV, L = Valbonne, O = IVM, OU = PROD
verify return:1
---
Certificate chain
0 s:/CN=xxx/C=FR/ST=CPV/L=Valbonne/O=IVM/OU=PROD
i:/C=FR/ST=CPV/L=Valbonne/O=IVM/OU=PROD/CN=VMCACPV
1 s:/C=FR/ST=CPV/L=Valbonne/O=IVM/OU=PROD/CN=VMCACPV
i:/DC=intra/DC=eic/CN=CERTRSI
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID/DCCAuSgAwIBAgIJAMUStKitkX2AMA0GCSqGSIb3DQEBCwUAMF0xCzAJBgNV
BAYTAkZSMQwwCgYDVQQIEwNDUFYxETAPBgNVBAcTCFZhbGJvbm5lMQwwCgYDVQQK
EwNJVk0xDTALBgNVBAsTBFBST0QxEDAOBgNVBAMTB1ZNQ0FDUFYwHhcNMjEwMTE4
MTE1NTI3WhcNMjIwMTE4MDgzNTMxWjBxMSQwIgYDVQQDDBtwcmQ5NzBhZXN4MTEw
LmlsYy5laWMuaW50cmExCzAJBgNVBAYTAkZSMQwwCgYDVQQIDANDUFYxETAPBgNV
BAcMCFZhbGJvbm5lMQwwCgYDVQQKDANJVk0xDTALBgNVBAsMBFBST0QwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDeWhMYncF0uHOKIXiK++CTLxqAQ1B
jBLYnC5/46lzjPriKAk1U9oAt281YYscpCxcDPPBF7tPROwjcxL/3g0+chEUQgtw
D8e0XX7zVo1kUii7vwJOi0zaAAa+ybab0pEy+9dC0UkVjDcKam90fUay9pajmuQn
9vYy9rfHWGCiybbuaNExfNMWvjDCR3rcvum3YEgrNzoTKNiwqEqdkYXi36VACM9B
lAHy1m26E4egExYtIgwWXznoK/y4FSyGbOSXcExWoyFlWLRv4iErhjik0VlpYwLJ
8NdjB7VAxwQPBNxJvve6gt9HEiU1zFyEizhEiGw4l/8/IZD9Bz2FC4a1AgMBAAGj
gaowgacwCwYDVR0PBAQDAgXgMFgGA1UdEQRRME+BKmZyYW5jb2lzLmR1Y2hlc25l
LWV4dEBzZWN1LWluZGVwZW5kYW50cy5mcocECgcLboIbcHJkOTcwYWVzeDExMC5p
bGMuZWljLmludHJhMB0GA1UdDgQWBBRPKnyqONs2ztglDX/3O1+Bx5VHjTAfBgNV
HSMEGDAWgBR9eg/MN/U8288m9yZot9Pj9C9ObTANBgkqhkiG9w0BAQsFAAOCAQEA
ZgyCu6Cz8cYEotinwmonhfFkTSLQNTB7EHdT009A7EMKhkvKKOtSA7dPjbzGMIaG
XsTJvGSICHfhW1QIUgmKk66lMCYRkpddD0P6PMnqBzr8Ofg2pJDMNQJ2+9DmIR0E
M2qWQPOYdttzMhLl0le2ihAW2JI21poDgEWfWecUb5MznGr+b74Une6x8zHRckaX
OB200byTwkfVJz6kjLndmFCCTcO09H078FzJ76WUUCWMC2XLyh6Eu2j6sS6NcuKh
/8wwKJERR8divVql4ocY8+seqNYVPrAWTlh81Y0eUeoYvKKvKr75l+zyARz1Dvfz
o317J36Ffsr0sa1Z5QvMTA==
-----END CERTIFICATE-----
subject=/CN=xxx/C=FR/ST=CPV/L=Valbonne/O=IVM/OU=PROD
issuer=/C=FR/ST=CPV/L=Valbonne/O=IVM/OU=PROD/CN=VMCACPV
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2902 bytes and written 433 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: CF8E9CDD463FBADDBC185AB5C38BC89C81A2FE8F77A67713B4DC5DE3076572BA42AC84B34040D8B16AB438657394241F
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1611753381
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
DONE
0 Kudos
scott28tt
VMware Employee
VMware Employee

@valot 

Moderator: Please consider using the "spoiler" function on the extended toolbar in the post creator/editor when you have large amounts of text to paste - making the thread easier for all to scroll through. I've amended your post above so you can see the effect.

 

Press the ... on the toolbar to extend it then select the triangle with exclamation mark to add a "spoiler":

Screenshot 2021-01-27 at 14.41.00.png

0 Kudos
valot
Enthusiast
Enthusiast

ok

sorry

0 Kudos
ashilkrishnan
VMware Employee
VMware Employee

@valot ,

Thank you for sharing these outputs. As suspected, there is a SSL trust anchor mismatch with PSC certificates. Please refer following KB article for more details --> https://kb.vmware.com/s/article/2121701 

Before we proceed further, we need a snapshot of both PSCs. Looking at the outputs, these PSCs seems to be in linked mode (As we see entries for 2 PSCs). 
Make a note of the ESXi host where the PSC VMs are running and power off both PSC VMs. Need to take a powered off snapshot of both PSCs as they are in linked mode. Next steps:

 

Spoiler

1. Download 'ls_ssltrust_fixer.zip' from attachments and extract it. Upload 'ls_ssltrust_fixer.py' it to any of the PSC VMs at following directory: /usr/lib/vmidentity/tools/scripts/

2. SSH to PSC and switch to directory mentioned in step.1

3. Run this scan command:  python ls_ssltrust_fixer.py -f scan

4. Run this fix command: python ls_ssltrust_fixer.py -f fix

Once the fix task is completed, run those 2 commands provided initially and ensure certificate outputs match. Re-register VR to PSC.

 

Hope that helps

0 Kudos