vasan22in
Enthusiast
Enthusiast

Certificate Error in vRA

Hi Team,

I have deployed my vRA Enterprise with internal certificate generated by openssl and signed with Microsoft CA. After all successful deployments, when I am try to access vRA portal I am getting the below error in all browsers. How to fix  this.....?

pastedImage_0.png

Thanks,

Srini

Please consider marking this answer "correct" or "helpful" if you think your query have been answered correctly. Thanks, Srini
0 Kudos
5 Replies
daphnissov
Immortal
Immortal

Well, you have an invalid cert, so there are several things that could cause this. You're going to have to provide a lot of details about your certificate and your vRA infrastructure.

0 Kudos
jasnyder
Hot Shot
Hot Shot

HSTS is a setting where a site can indicate to your browser that it should always be communicated with over HTTPS (SSL).  I'm guessing from your post that this is relating to your internal setup being called test.com which is an actual external domain.  You may have accidentally browsed to it or possibly had a DNS issue which caused your browser to go to the actual external site rather than the interal one.  That site may have been added to the HSTS settings and now you can't get to the internal one without clearing it out.

In chrome - go to chrome://net-internals/#hsts and enter the vra-01.test.com into the "Delete domain" box and hit the Delete button.  Then try your vRA site again.

In firefox go to your history, find the page in the history, right-click and click forget about this site.

Justin Snyder ___________________ Blog/Content/Consulting - https://www.ltx.systems Youtube - https://www.youtube.com/channel/UCvaigQrBZx-yfWh-ULiN_ug I love solving a good problem. If you find my effort helpful and time saving, please mark it as the correct answer or helpful.
GBartsch
Enthusiast
Enthusiast

Interestingly, I've recently run into this myself.  Were you able to figure out what the issue was?

In my case, the customer created the certificates using OpenSSL, just as we would for vRA 6.2.5, and they were signed by a RedHat CA.  During the post-install configuration / validation, we had no issues at all. Everything was flawless.

However, when attempting to hit the vRO Control Center web, we get the same error you see above.  vRA itself, as opposed to embedded vRO, doesn't appear to have ANY issues with the certificates supplied and signed by the external CA. (...and they are the same cert, with all of the Subject Alternative Names [SANs] for the vRA appliances, etc.)

What is this issue caused by?

0 Kudos
GBartsch
Enthusiast
Enthusiast

Ok,

 

It turns out that Chrome and Firefox make it a little difficult to see the cert when you have the HSTS issue.

 

They do tell you, however, that it's a self-signed certificate.

 

So what is actually going on is that the vRA 7.3 installer indicated that everything installed / configured without a hitch, but it did not.

 

The 8281 and 8283 embedded vRO certificates were not replaced, even though they are supposed to be as part of the installer!

 

So, the next step will be to see if there is a place where the failure to install the certificate into vRO (the same cert as is used for the vRA VAMI) is logged.

 

(If you need to work around this in a lab, you can install the self-signed certificate from the vRO Control Center into your browser.)

 

Anyone know where we look for the installer/configuration log on a vRA 7.3 install?

0 Kudos
LoganDS
VMware Employee
VMware Employee

Chrome does not  allow these certificates to load unless explicitly told to do so:

Once the HSTS page loads, click into the white space of the page and type on your keyboard, one word, "badidea"

This will load the page.

The scripts fired by the vRA VAMI should replace these certificates.  Its possible the scripts failed for w\e reason, but we would recommend opening an SR to get this tracked with production support.

0 Kudos