Hello all,
I'm trying to install BDE2.2 in a lab environment and I'm running into a error when i tried to enable sso. "Cannot reach SSO Lookup Service. Verify that the URL is correct and the service is running."
vCenter and hosts are 6.0 with last patch.
i have one PSC appliance working as subordinate CA, the root CA is self-signed CA running on windows server 2012r2.
vcenter is also an appliance, and its certificate looks good.
BDE 2.2 vApp installed OK.
vCenter plug-in installed OK.
Lookup service URL I used https://myPSC:443/lookupservice/sdk
I checked log for enable sso: (/opt/serengeti/ssotool/installer.log)
[2015-08-04 16:43:40,634 main DEBUG com.vmware.vim.install.cli.RegTool] $Id: //depot/vicore/vicore-2013/regtool/viregtool/src/main/java/com/vmware/vim/install/cli/RegTool.java#4 $
[2015-08-04 16:43:40,636 main DEBUG com.vmware.vim.install.cli.RegTool] Executing command: storeSsoData -d https://psc01.lab.local:443/lookupservice/sdk -f /opt/serengeti/ssotool/ssoData
[2015-08-04 16:43:40,671 main INFO com.vmware.vim.install.impl.RegistrationProviderImpl] Intializing registration provider...
[2015-08-04 16:43:41,270 main DEBUG com.vmware.vim.install.impl.LookupServiceAccess] Creating VMODL client for LookupService
[2015-08-04 16:43:41,274 main INFO com.vmware.vim.install.impl.CertificateGetter] Getting SSL certificates for https://psc01.lab.local:443/lookupservice/sdk
[2015-08-04 16:43:41,654 main DEBUG com.vmware.vim.install.impl.CertificateGetter] Establishing socket connection to psc01.lab.local/192.168.102.2:443. Timeout is 60000
[2015-08-04 16:43:42,475 main DEBUG com.vmware.vim.install.impl.AdminServiceAccess] Creating client for SSO Admin on address: https://psc01.lab.local/sso-adminserver/sdk/vsphere.local
[2015-08-04 16:43:42,906 main ERROR com.vmware.vim.install.impl.AdminServiceAccess] com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
I ssh to BDE2.2 management server, run:
openssl s_client -connect psc01.lab.local:443 -tls1
I got:
depth=1 C = US, DC = vsphere, DC = local, O = psc01.lab.local, CN = CA
verify error:num=20:unable to get local issuer certificate
verify return:0
CONNECTED(00000003) | |
--- | |
Certificate chain | |
0 s:/CN=lab/C=CA/ST=QC/L=XX/O=XX/OU=Lab | |
i:/C=US/DC=vsphere/DC=local/O=psc01.lab.local/CN=CA | |
1 s:/C=US/DC=vsphere/DC=local/O=psc01.lab.local/CN=CA | |
i:/DC=local/DC=lab/CN=lab-DC-CA |
so just like server certificate chain not verified, looks like BDE management appliance can not found my root CA certificate. now, i have my root CA certificate. my questions are:
1, where should i put this certificate? because i copy it to a folder, run "openssl s_client -connect psc01.lab.local:443 -CAfile /opt/chef-server/embedded/ssl/certs/rootca.crt -tls1" without error, but when i run "EnableSSOAuth" i still got same error.
2, can i replace BDE self-signed certificate with generate a csr and how can i do it?
thanks
It's a VC certificate issue. You can follow this KB to fix it.
Thanks,
Selina
Check DNS in Serengeti Server
check to ping vcenter server using fully qualified name FQN
I'm also looking for info on how to update BDE certificate. Connection to appliance in vcenter web client extension keeps disconnecting with certificate error.