Vikramaditya_J
Enthusiast
Enthusiast
‎11-29-2021 10:18 AM

vCenter server 7.0 cannot fetch SSL Certificates from domain controllers using openssl

Hello Community,

I am trying to join vCenter server 7.0.2 to AD over LDAP, however getting error "Can't contact LDAP server."

As a part of troubleshooting, it came out that vCenter cannot fetch the SSL certificates from the domain controllers and openssl gives following error:

================

root@myvcsa01 [ ~ ]# /usr/bin/openssl s_client -connect mydc01.domain.com:636

CONNECTED(00000003)

write:errno=104

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 215 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1636711093

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

---

====================

- All required ports are open between the vCenter and domain controllers and there's no traffic blocked.

 

So any idea on this? Where the problem is and how to fix it?

 

Thank you!
Vikramaditya J
0 Kudos
Reply
1 Reply
Ajay1988
VMware Employee
VMware Employee
‎11-29-2021 06:56 PM

The port is typically 389 for LDAP connections and 636 for LDAPS connections.

Use the same command with port 389 and check. Engage you AD/DC/Firewall Team to see what's they see when you run the command. 

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-98B36135-CD...

 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
Reply