I attempted to replace my machine cert on my VCSA server. After a few attempts I gave up and performed a full certificate reset using the `/usr/lib/vmware-vmca/bin/certificate-manager` tool.
Now I'm seeing the following errors in the UI when looking at any Health or vSAN information. Anyone know how to resolve this? I upgraded to 22.214.171.124000 and that didn't help.
in my /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log I see lots of:
Caused by: com.vmware.vsphere.client.vsandp.core.sessionmanager.common.NotAccessibleException: com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint doesn't match
... 119 common frames omitted
Caused by: com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint doesn't match
Vijay2027 thanks for your quick response. Unfortunately putting in a SR isn't an option right now. Do you know how to check and/or manually fix the endpoint certs?
I wish I did. When did these issues start for you?
For me, they first started when I tried using a machine cert created by Let's Encrypt. There were problems with this certificate. I ended up resetting all of the certificates. Since doing this, I've been plagued by issues.
I have the issues since I changed the VCSA certificate authority as a sub cert to my AD CA...
But I didn't tried to reset this until now.
Is it for you also working in the flash web client?
Wow, surprisingly the flash client works!
I do see some errors in the /var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log like:
[2019-10-28T11:05:28.557-07:00] [WARN ] http-nio-9090-exec-10 c.vmware.vim.vmomi.client.http.impl.AllowKnownThumbprintVerifier Mismatched thumbprint 20:00:72:BA:3E:85:D4:93:A2:78:A4:83:62:2C:62:6C:4E:46:64:FF, rejecting connection
but it doesn't seem to affect the operation of the client
I see this error as well with the flash client, but I'm not sure if this is because of the other issue or something the flash client is doing, because I'm getting the same errors also with pages that are working in the HTML 5 client.
I'm leaving the office for today but tomorrow I will try to reset the certificate back to an VCSA self singed one, maybe this will change something.
Before we check endpoints can you move the contents of the below folders to a backup location (Ex: /storage/core) and restart vsphere-client and vsphere-ui services.
thanks @Vijay2027, I moved out /usr/lib/vmware-vsphere-client/server/work but I didn't have a folder called /usr/lib/vmware-virgo/server/pickup in my install. no change after restart of both services.
root@vcenter [ /usr/lib/vmware-virgo/server ]# ls -la
drwxr-xr-x 10 root root 4096 Oct 28 10:02 .
drwxr-xr-x 3 root root 4096 Oct 10 05:57 ..
drwxr-xr-x 2 root root 4096 Oct 28 10:02 about_files
-rwxr-xr-x 1 root root 5588 May 30 11:30 About.html
-rwxr-xr-x 1 root root 3140 May 30 11:30 AboutKernel.html
-rwxr-xr-x 1 root root 4381 May 30 11:30 AboutNano.html
drwxr-xr-x 2 root root 4096 Oct 28 10:02 admin
-rwxr-xr-x 1 root root 14547 May 30 11:30 artifacts.xml
drwxr-xr-x 2 root root 4096 Oct 28 10:02 bin
drwxr-xr-x 4 root root 4096 Oct 28 10:02 configuration
-rwxr-xr-x 1 root root 12567 May 30 11:30 epl-v10.html
drwxr-xr-x 4 root root 4096 Oct 28 10:02 lib
-rwxr-xr-x 1 root root 8783 May 30 11:30 notice.html
drwxr-xr-x 4 root root 4096 Oct 10 05:57 p2
drwxr-xr-x 2 root root 12288 Oct 28 10:02 plugins
drwxr-xr-x 3 root root 4096 Oct 10 05:57 repository
-rwxr-xr-x 1 root root 3616 May 30 11:31 vmware-changes.txt
Thanks again for your help Vijay2027 - you were right, it was definitely a complex and not self-fixable issue. I had a number of services that were running with the wrong certificate. GSS provided me with a script that fixed them all.