Creating a new VCSA 6.5.0 vm using win32 GUI.
After installation completed, I want to replace machine SSL certificates using HTML5 webgui.
I imported Terena CA and then replaced machine SSL cert (key & crt). After rebooting, all works fine.
Deleting this VM, and creating a new VCSA 6.7 VM using win32 GUI and exactly the same paramaters as before (fqdn, ip, ...). DNS entries are ok (FQDN to IP & IP to FQDN).
After installation completed, I imported the same certificate as before. After rebooting, when I try to access the web GUI, I've got the following error :
503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x00007f3890084700] _serverNamespace = / action = Allow _pipeName =/var/run/vmware/vpxd-webserver-pipe)
Trying to replace de certificate from CLI using certificate-manager :
Updated 34 service(s)
Status : 70% Completed [stopping services...]
Status : 85% Completed [starting services...]
Error while starting services, please see service-control log for more details
Status : 0% Completed [Operation failed, performing automatic rollback]
Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
Performing rollback of Machine SSL Cert...
Get site nameus : 0% Completed [Rollback Machine SSL Cert...]
This is the /var/log/vmware/vmcad/certificate-manager.log log :
2019-12-06T13:19:16.509Z INFO certificate-manager None
2019-12-06T13:19:26.519Z INFO certificate-manager Running command :- service-control --start --all
2019-12-06T13:19:26.519Z INFO certificate-manager please see service-control.log for service status
Service-control failed. Error: Failed to start services in profile ALL. RC=2, stderr=Failed to start vpxd services. Error: Service crashed while starting
2019-12-06T13:25:38.27Z ERROR certificate-manager None
This is the vpxd.log :
2019-12-06T13:23:09.269Z error vpxd [Originator@6876 sub=AuthzStorageProvider] [AuthzStorageProvider::CreateAuthzMgr] Failed to connect to IS: <N5Vmomi5Fault17HostCommunication9ExceptionE(Fault cause: vmodl.fault.HostCommunication
2019-12-06T13:23:09.270Z info vpxd [Originator@6876 sub=AuthzStorageProvider] [AuthzStorageProvider::CreateAuthzMgr] Retry for this error: attempt count 29
2019-12-06T13:23:12.314Z warning vpxd [Originator@6876 sub=VpxdAuthClient] [ConnectAndLogin] Failed to loginBySamlToken: N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
--> PeerThumbprint: 6B:B6:1F:29:7C:01:E8:65:09:A1:49:C2:46:71:BC:54:11:FB:7F:A8
--> ExpectedPeerName: localhost
--> The remote host certificate has these problems:
--> * Host name does not match the subject name(s) in certificate.)
I don't know why ExpectedPeerName is searching for localhost, I always used fqdn and real ip during process and DNS is correctly resolving IP address & FQDN.
Either using webgui or cli for replacing the machine certificate, vpxd doesn't launch after.
Are there new prerequisites for installing a custom SSL certificate since 6.7.0 ?
Here you have an answers:
Host name does not match the subject name(s) in certificate.
Your certificate must contain your vCenter FQDN and if you are using more names (friendly name etc. ) you should also use Subject Alternative Names in cerificates.
A little help:
The certificate contains vCenter FQDN. There is no additionnal names used for this vcenter. I never specified localhost for any parameters during the installation process.
This certificate works with VCSA 6.5 for the same parameters so I don't understang why it doesn't works with VCSA 6.7.
We have exactly the same issue with our VCSA in our datacenter after installing custom SSL certificates.
Had to do a complete rollback to get vpxd up again.
Has anyone a solution for this issue?
Did not open a support case yet, because it was detected last Friday evening.
We are using this version:
|vCenter Appliance 6.7 Update 3 (18.104.22.168000)||2019-08-20||14367737||14368073|
I will perform an upgrade with the vCenter clone in our lab environment to check if this helps before creating a ticket.
This is because is maybe not matching with the PNID configured in the vCenter Server during the installation time, could you please run the next command and show us the output: /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
Just tried your command. Result is the FQDN of the vcsa (used during the installation and still used)
I opened a ticket with those insights (nothing worked by the way😞
Should have a remote session today. Unfortunately, vmware didn't contacted me as agreed. Any ideas folks?
Could you try to run the next command to search for duplicated certificates under the same serial numbers:
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text| grep -A 6 -i alias | less
Also i was reading a little bit and it seems that the resolution for some of the folks was updating vCenter Server to 6.7 U3g which is build 16046470
Tried it and no duplicated certificates.
Nonetheless, I had a remote session with vmware. According to the support a subnet change of a vcsa is not recommended and probably won't work. Checked the info:
If you have two-sites, as in our case, the recommend to set up a second vcsa and run both vcsa instances in a linked mode. However, anser and problem isn't directly the main question of the thread but has the same error log