Solved: Problem with VCSA 7 Self-Signed Certificate

mike_smith345 · ‎07-17-2021

Hi there

I have installed VCSA 7.0.2.00200 but when I login to Web Client or vCenter Server Management, I get this error in chrome:

"You cannot visit vcsa.blabla.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later."

according to this article https://kb.vmware.com/s/article/2147071 I deleted domain security policies in chrome browser
but my problem still persists

Can anyone help me?

NathanosBlightc · ‎07-22-2021

You have just three options, not anymore:

1. Install or ignore the self-signed certificate in each device that needs have access to the VCSA web client. Strongly I suggest restricting them because the vCenter server is a vital asset and it's not a good idea to have access to it from anywhere even inside your corporate network.

2. Download the vCenter server trusted root certificate and install it as a root CA inside your client. (As mentioned in other replies)

3. Generate or provide a valid/trusted certificate from a certificate publisher or your corporation root CA and replace it with the current vCenter's self-signed certificate

Please mark my comment as the Correct Answer if this solution resolved your problem

View solution in original post

TryllZ · ‎07-17-2021

Try to access via IP address, should work.

Alternatively you can also reset/regenerate all certificates as instructed here https://kb.vmware.com/s/article/2112283 and then try again via FQDN.

Once all the certificates are regenerated you can download and install the certificates from the vCenter home page as instructed here https://kb.vmware.com/s/article/2108294 so you can bypass the SSL certificate error.

mike_smith345 · ‎07-19-2021

Hi @TryllZ

Thank's for replying. my problem is:

1- Why does the browser allow opening the vcenter host using "Proceed to MY IP (unsafe) " link

but when I want to open my host with domain name, this is not possible

2- If I want to open vcenter web ui with IP adress, it redirects itself to domain name and I cant open it as previously mentioned

How can I solve these problems?

TryllZ · ‎07-19-2021

1- Why does the browser allow opening the vcenter host using "Proceed to MY IP (unsafe) " link

This is becasue of SSL certificates, the browser does not trust the VCSA certificates as they are not installed in the Trusted Root Certificate Authorities or the IP address and FQDN of VCSA in the certificate does not match. Is the certificate the Self-Signed one issued by VCSA that comes preinstalled ?

2- If I want to open vcenter web ui with IP adress, it redirects itself to domain name and I cant open it as previously mentioned

This seems like a DNS misconfiguration issue, is the VCSA running behind a VPN ?

mike_smith345 · ‎07-20-2021

The self-signed certificate is issued by VCSA when installing. I set the domain name in cloudflare and I don't think DNS misconfiguration has happened.

Now I'm using let's encrypt for ssl certificate and my problem is solved temporary, but I don't know Where exactly the problem with self-signed certificate exist?

TryllZ · ‎07-20-2021

The 1st thing you could try is as follows:

on the vCenter home page homepage you should see Download trusted root CA certificates, download it, its a zip file. Extract the zip file, inside you'll see 3 folders for each Linux, Windows, and Mac. Depending on your OS, in the folder find the certificate file that is issued by the CA (VMCA in this case, which is the vCenter itself) and issued to the vCenter.

Install the certificate into Trusted Root CA Authorities store (for Windows), and reload the browser.

mike_smith345 · ‎07-20-2021

I did this previously and I could open the VCSA. but I don't want to install the certificate in each device that I want to use.

Is it possible to open a website with self-signed certificate in browser without installing its certificate?

TryllZ · ‎07-20-2021

It is possible to open without installing self-signed certificates but you'll always see the screen your connection is not private. Plus in your case its already not working as I understanding with HSTS issue, unless its resolved.

Trust issue between the browser and vCenter will always remain in this case.

And I'm afraid it will have to be installed on each device for trusted access.

NathanosBlightc · ‎07-22-2021

You have just three options, not anymore:

1. Install or ignore the self-signed certificate in each device that needs have access to the VCSA web client. Strongly I suggest restricting them because the vCenter server is a vital asset and it's not a good idea to have access to it from anywhere even inside your corporate network.

2. Download the vCenter server trusted root certificate and install it as a root CA inside your client. (As mentioned in other replies)

3. Generate or provide a valid/trusted certificate from a certificate publisher or your corporation root CA and replace it with the current vCenter's self-signed certificate

Please mark my comment as the Correct Answer if this solution resolved your problem

mike_smith345 · ‎07-24-2021

Thank's for replying @NathanosBlightc

That's true. Apparently there are no more than three options.

vmwarekeepsmeup · ‎05-16-2023

How to generate a certificate and store in a local CA? Sorry I'm a noob here.

TryllZ · ‎05-16-2023

@vmwarekeepsmeup

You need to provide more details to get appropriate answers.

Servicedesk_ · ‎03-25-2024

What also works.. and it's most simple solution. Is to clear your cache of the browser.

Also check your backup software. We use Veeam and also Veeam doesn't trust the vcenter appliance anymore. You can easily fix this by going to:

Inventory menu, select your vcenter appliance (FQDN name). And select properties. Just follow the steps and it will ask you, if veeam can trust the certificates. After that Veeam should work.

All

Problem with VCSA 7 Self-Signed Certificate