Solved: SSL Certificate Error vCenter 8

AHMNco · ‎10-16-2022

Hi Everyone, the surprisingly new version of vCenter does not work with my current SSL from vCenter 7

here are the errors:

1. When trying to insert Sectigo 1yr (Error occurred while fetching tls: Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate)

2. When trying to insert Let's Encrypt (Error occurred while fetching tls: the trustAnchors parameter must be non-empty)

3. When trying to SSL.com 90-days (Error occurred while fetching tls: 0)

4. When trying to insert wildcard not work as well (Wildcard SSL working well with ESXi but not working with Center)

================

I tried to re-issue, I changed the SSL provider, I read every article, and none of them is working

since I was at vCenter 7 all of them except Let's Encrypt working fine

but now none of them working

please give me a solution, appreciate it

Best Regards

BrianCunnie · ‎11-03-2022

Hey @AHMNco :

FYI, I wrote a blog post describing how I was able to get past this error (use a different cert in the CA Bundle). You may want to skip to the Troubleshooting section.

View solution in original post

chall32 · ‎10-18-2022

Confirmed. vCenter 8.0, I'm seeing same error:

Error occurred while fetching tls:0

when trying to replace machine certificate with certificate genrated using a CSR generated by vCenter itself.

AHMNco · ‎10-23-2022

After thousand years nobody even replied, where are the VMware Experts????

maksym007 · ‎10-25-2022

I will not be so original and will say to generate a new certificate and to check a certificate template for vCenter7

Highly possible that maybe changes are needed

chall32 · ‎10-25-2022

The problem is not with the certificate, it is with the application of the newly generated certificate into vCenter 8.

AHMNco · ‎10-25-2022

so where is the resolution?

where are the VMWare experts??

is nobody gonna come and answer this problem?

lasersword · ‎10-26-2022

same problem!

Tokiha · ‎10-26-2022

Same problem and Auto Gen Certificate is Sha256 with rsa:3084 and my certs with Sectigo Sha384 with rsa:8192

tim427 · ‎10-26-2022

Same problem; tried "ecdsa-with-SHA256 + id-ecPublicKey (384 bit)" and "sha384WithRSAEncryption + rsaEncryption (2048 bit)", both without luck.

Default certificate is: "sha256WithRSAEncryption + rsaEncryption (2048 bit)"...

AHMNco · ‎10-29-2022

It seems none of the VMWare Experts care about our problem!!!!!

BrianCunnie · ‎10-31-2022

This is what I had to do to fix it for my Sectigo/Comodo certificate:

edit the .ca-bundle
replace the bad PEM with the good PEM (see attached files)

Longer story: the bad & good certificates have the same key (their RSA Modulus is the same) and the same CN ("USERTrust RSA Certification Authority"), so they can be interchanged, but the bad PEM has been cross-signed (issued) by the old, bad "AAA Certificate Services" (which is self-signed with the weak SHA1 algorithm). The good cert is self-signed with the strong SHA-384 algorithm.

If you feel uncomfortable downloading the cert from a forum (and you should feel uncomfortable), you can view the details of the good certificate here: https://crt.sh/?id=1199354

And you can download a copy of the PEM here: https://crt.sh/?d=1199354

AHMNco · ‎10-31-2022

No, not working

ASMITH_77 · ‎10-31-2022

I had similar issues and in my case it was due to the path to root certificated being incomplete. Also make sure that any cert in path is at least above sha 1 as version 8 rejects any sha 1 cert. Another approach i took was to delete all related trusted root certs to make sure there is no conflict's. That has t be done from CLI and a slight pain in ass.

BrianCunnie · ‎11-03-2022

Hey @AHMNco :

FYI, I wrote a blog post describing how I was able to get past this error (use a different cert in the CA Bundle). You may want to skip to the Troubleshooting section.

chall32 · ‎11-03-2022

OK good to see some have got it working using public certs. I'm still struggling to replace the machine cert with a cert generated by an internal CA.

acursory look through the logs in /var/log/vmware/certificatemanagement and /var/log/vmware/certificateauthority isn't providing much help either!

chall32 · ‎11-03-2022

Found the error in /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log:

[2022-11-03T15:31:03.619Z] [ERROR] http-nio-5090-exec-4          com.vmware.vise.mvc.exception.GlobalExceptionHandler              Exception handled while processing request for /ui/certificate-ui/ctrl/certificates/tls:  com.vmware.vapi.std.errors.Error: Error (com.vmware.vapi.std.errors.error) => {
    messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
    id = com.vmware.certificatemanagement.error,
    defaultMessage = Exception found (0),
    args = [0],
    params = <null>,
    localized = <null>
}],
    data = <null>,
    errorType = ERROR
}

Full error attached.

BAUERAG · ‎11-07-2022

Problem also exists when configuring vCenter login with OpenID Connect in Azure. To access login.microsoft.com, both CA certs from Digicert are needed, but "DigiCert Global Root CA" use "SHA-1 with RSA Encryption" signature algorithm. Importing fails, means also configuring OIDC fails.

It's not that VMware supports 100s of different IDPs. The only one is ADFS and using Microsofts cloud service isn't uncommon.

When checking login.microsoft.com with ssllabs.com, they wrote about the Root CA from Digicert: Weak or insecure signature, but no impact on root certificate

VMware, please fix it. Thanks.

donaldsteele · ‎11-08-2022

Same issue here. Reverting back to vCenter 7....

Anil0210 · ‎11-09-2022

vSphere 8.0 (vCenter Server and ESXi ) do not support certificate with weak signature algorithms, such as sha1WithRSAEncryption.

Just check if the certificate you are using is with weak signature algorithms. Check the below KB for more details.

https://kb.vmware.com/s/article/89424

obsidianindy · ‎01-04-2023

Hey @BrianCunnie I followed your instructions from your blog post, even purchasing the exact certificate you purchased and attempted this with vCenter 8.

First, I created via

CN=vcenter-80.nono.io # "CN" is the abbreviation for "Common Name"
openssl genrsa -out $CN.key 3072
openssl req \
  -new \
  -key $CN.key \
  -out $CN.csr \
  -sha256 \
  -subj "/C=US/ST=California/L=San Francisco/O=nono.io/OU=homelab/CN=${CN}/emailAddress=brian.cunnie@gmail.com" \
  -config <(cat <<EOF
[ req ]
distinguished_name = req_distinguished_name
req_extensions     = req_ext
[ req_distinguished_name ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = ${CN}
EOF
)

(obviously, I changed the values).

I then requested a certificate from SSls.com, and we purchased their least-expensive offering, the PositiveSSL 1 domain Comodo SSL.

(using the same disclaimer):

[We do not endorse either SSLs.com or Sectigo (formerly Comodo); We encourage you to use the reseller and the Certificate Authority (CA) with which you are most comfortable].

They then provided me with the two files. vcenter.domain.co.crt and vcenter_domain_co.ca-bundle

Then we followed the instructions from your blog post:

- On your vCenter, navigate to Menu → Administration → Certificates → Certificate Management
- On the __MACHINE_CERT tile, click Actions, select Import and Replace Certificate.
- Select Replace with external CA certificate(requires private key).
  - Machine SSL Certificate: click Browse File and select vcenter.domain.crt
  - Chain of trusted root certificates: click Browse File and select vcenter_domain_co.ca-bundle
  - Private Key: click Browse File and select vcenter_domain_co.ca-bundle
- Click Replace.
After doing this, vCenter reports: "Error occurred while fetching tls: Invalid input, not a valid PEM formatted Primary Key"

I've been beating my head all day with this. vCenter logs aren't much of a help. Did you have to do anything else, or am I just missing a step?

All

SSL Certificate Error vCenter 8

Certificate

vCenter 8

vcenter server