Hello community,
I am trying to simply change the SSO domain of my vCenter 6.7 U3 6.7.45000 without replication partner.
When executing the domain repoint as following :
#cmsso-util domain-repoint -m execute --src-emb-admin Administrator --dest-domain-name vsphere.local
The process fails on export Authz data export.
After checking the logs, I can see in /var/log/vmware/cloudvm/domain_data_export.log the following error :
############ domain_data_export.log #####################
2020-08-31T12:52:17.812Z [main DEBUG com.vmware.vim.sso.client.impl.SoapBindingImpl opId=] Sending SOAP request to the STS server
2020-08-31T12:52:17.860Z [main DEBUG com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager opId=] The SSL certificate of STS service cannot be verified against the list of client-trusted certificates
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:235)
.................................
2020-08-31T12:52:17.865Z [main DEBUG com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager opId=] The SSL certificate of STS service cannot be verified against the client-trusted thumbprint
2020-08-31T12:52:17.880Z [main ERROR com.vmware.vim.sso.client.impl.SoapBindingImpl opId=] The SSL certificate of STS service cannot be verified
com.vmware.vim.sso.client.impl.ssl.UntrustedSslCertificateException: The SSL certificate of STS service cannot be verified
at com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager.validateServerIdentityWithThumbprint(StsSslTrustManager.java:227)
at com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager.checkServerTrusted(StsSslTrustManager.java:125)
######################################################
This happens with custom certificates and default VMware certificates.
Any idea from the community ?
Thank you
I believe this is due to trust anchor mismatch explained in the KB https://kb.vmware.com/s/article/2121689?lang=en_US
VMware Knowledge Base https://ikb.vmware.com/s/article/2121689
I suggest open a SR and validate the SSL mismatch issues on vCenter server and try the domain repoint
thanks,
MS
I believe this is due to trust anchor mismatch explained in the KB https://kb.vmware.com/s/article/2121689?lang=en_US
VMware Knowledge Base https://ikb.vmware.com/s/article/2121689
I suggest open a SR and validate the SSL mismatch issues on vCenter server and try the domain repoint
thanks,
MS
Moderator: Thread moved to the vCenter Server area.
Thank you, indeed Anchors was the problem.
Thanks a lot for your help, best community ever !!!