Hi all,
Doing a deployment of a new vCenter 6.0 U3a we are getting Failed to initialize VMware Certificate Authority - Error 100004 ( popup title install.vmafd.vmca_selfcafailed ) . Not gonna paste from the logs unless needed. . We checked DNS entries/ DB connection / everything else that we could think of ,
I think I found the issue. We are able to install on the same OS / same settings vCenter 6.0 U2a . Done several revert to snapshot and reproduced the scenario several times - each time getting the same conclusion : vCenter 6.0U2a works , u3/u3a does not Work.
So what I saw is that openssl version was changed. My ideea is that we are missing a hotfix on the Windows VM ( which is Windows 2008 R2 patched with security hotfixes only ) . So now I'm trying to see what might be the hotfix that we need ( taking in consideration that we can't just put all patches 
) .
Have also a SR opened to VMware, so far no solution .
Any ideas, anyone ?
Thank you.
Accepted Solutions
Just realized I have not provided the solution, sorry . What else I tested was an upgrade from 6.0 u2 to u3 - which worked, but still it had issues with some services ( vCenter functional , but complaining something about Profile driven storage not being connected to vmca , something like that, of course logs mentioned something regarding to the certificate ) . My initial idea was half-right - it was not related to an hotfix, however it was related to openssl.
I finally managed to do a clean install of vCenter 6.0 U3, see below
The installation was failing because of the defined entries in Windows %PATH% - C:\Program Files\EMC NetWorker\nsr\bin .
When we had issues with installation failing , before pressing OK on the error popup , I was going into the vcenterInstallDir\vmcad\ and sometimes if I would run certool.exe I would get some error regarding either ssleay32 or libeay32 ( can’t remember exactly , but one of those files ) .
Both of those files are found C:\Program Files\EMC NetWorker\nsr\bin , so my guess is that the vCenter installer/ certool was looking in the %PATH% folders trying to find those files and it was finding them in the first %PATH% entry, the networker one, which were for an older openssl version , and would fail . vCenter 6.0 U2 was working because it came with an older version of openssl. vCenter also adds an entry into %PATH% - x:\Program Files\VMware\vCenter Server\openSSL , which contains the mentioned files for the correct version, but networker path was the first one .
I suggested VMware to improve the installer , so that it looks for its needed files in its own folders , and not throughout the whole system.
So if you have this issue, just clean your %PATH% and leave the default that Windows comes with and see if that works ( hopefully knowing what exactly you are doing/ removing so you don't break something ) . If that works and vcenter gets installed / updated , then add the cleaned entries at the end of the %PATH%.
Cheers !
Just realized I have not provided the solution, sorry . What else I tested was an upgrade from 6.0 u2 to u3 - which worked, but still it had issues with some services ( vCenter functional , but complaining something about Profile driven storage not being connected to vmca , something like that, of course logs mentioned something regarding to the certificate ) . My initial idea was half-right - it was not related to an hotfix, however it was related to openssl.
I finally managed to do a clean install of vCenter 6.0 U3, see below
The installation was failing because of the defined entries in Windows %PATH% - C:\Program Files\EMC NetWorker\nsr\bin .
When we had issues with installation failing , before pressing OK on the error popup , I was going into the vcenterInstallDir\vmcad\ and sometimes if I would run certool.exe I would get some error regarding either ssleay32 or libeay32 ( can’t remember exactly , but one of those files ) .
Both of those files are found C:\Program Files\EMC NetWorker\nsr\bin , so my guess is that the vCenter installer/ certool was looking in the %PATH% folders trying to find those files and it was finding them in the first %PATH% entry, the networker one, which were for an older openssl version , and would fail . vCenter 6.0 U2 was working because it came with an older version of openssl. vCenter also adds an entry into %PATH% - x:\Program Files\VMware\vCenter Server\openSSL , which contains the mentioned files for the correct version, but networker path was the first one .
I suggested VMware to improve the installer , so that it looks for its needed files in its own folders , and not throughout the whole system.
So if you have this issue, just clean your %PATH% and leave the default that Windows comes with and see if that works ( hopefully knowing what exactly you are doing/ removing so you don't break something ) . If that works and vcenter gets installed / updated , then add the cleaned entries at the end of the %PATH%.
Cheers !