jeremyb
Contributor
Contributor

VDDK 6.0 and standalone ESXi host with self-signed or CA-signed SSL certs


Per VDDK 6.0 release notes "SSL certificate verification is now mandatory".


Can anyone provide any insight as to the steps required to get a standalone ESXi host to work with VDDK 6.0?


I have tried regenerating a self-signed certificate on the ESXi host (as the cert created at install is for localhost.localdomain) and still VDDK 6.0 does not work with this host.

Tags (4)
5 Replies
jeremyb
Contributor
Contributor

Update:

My current understanding is that VDDK 6.0 will not work with hosts that have the default self-signed certificates installed. If I am wrong on this please let me know.

Also, I am working on a quick guide for setting up a simple CA for issuing and managing in-house, CA-signed certificates using OpenSSL. This would be more for environments that don't have a need for an enterprise CA server and that don't want to purchase a CA-signed certificate that expires each year. My primary goal here is to come up with something that allows for continuing to use VMware APIs and tools in small environments that mostly have standalone ESXi hosts. If anyone is interested in this document let me know. If anyone wants to help with this that would be nice too.

The question now is will VDDK 6.0 work with in-house, CA-signed certificates?

I have everything working with these certificates and SSL verification in VDDK 5.5.4, but I have yet to get it working with VDDK 6.0. See thread: https://communities.vmware.com/thread/506125

jeremyb
Contributor
Contributor

Update 2:

Well, I thought my issues with VDDK 6.0 were being caused by the in-house, CA-signed certs being x509v1. I have since revised the certificate generation process to make sure it created x509v3 certs, but I am still getting "Can't create connection." from vmware-vdiskmanager and the following in the log:

VixDiskLibVim: VixDiskLibVim_Init: Initialization is completed.

VixDiskLib: VixDiskLib_Connect: Establish connection.

VixDiskLib: A thumbprint is required for SSL certificate validation. vixDiskLib.c line 2446

VixDiskLib: VixDiskLib_Connect: Failed to allocate connection. Error 3 (One of the parameters was invalid) at 3914.

VixDiskLib: VixDiskLib_Disconnect: Disconnect.

What am I missing?

0 Kudos
jeremyb
Contributor
Contributor

Update 3:

I do not have a DNS server setup so I have updated my C:\Windows\System32\drivers\etc\hosts file. I can ping my host server via IP, and FQDN. I can also access the host via IE by IP and FQDN without certificate errors. I can also connect to the host via vSphere Web Services API by IP and FQDN and browse VM inventory.

0 Kudos
balaga32
Enthusiast
Enthusiast

For the ViXdisklibConnectEX() call, pass on the host thumbprint. VDDK6 requires the host thumbprint to be passed along with user and password.

0 Kudos
jeremyb
Contributor
Contributor

I understand, but with vmware-vdiskmanager there is no option to provide this argument (at least not in the syntax overview provided by help).

0 Kudos