kef461
Contributor
Contributor

openSSL certificate verification

I have seen others talk about this issue but they never stated what resolved their problem.

Problem: When you do a connect.pl from the Perl utilities and get Error: Server version unavailable at 'https://asciesx1/sdk/vimService.wsdl'. If you do a wget it returns.

16:02:15 https://asciesx1/sdk/vimService.wsdl

Resolving asciesx1... 172.29.59.25

Connecting to asciesx1|172.29.59.25|:443... connected.

ERROR: cannot verify asciesx1's certificate, issued by `/C=US/ST=California/L=Palo Alto/O=VMware, Inc./emailAddress=ssl-certificates@vmware.com/OU=VMware ESX Server Certificate/CN=asciesx1/unstructuredName=1250522187,564d7761726520496e632e':

Self-signed certificate encountered.

To connect to asciesx1 insecurely, use `--no-check-certificate'.

Unable to establish SSL connection.

I have tried to configure openssl and give the ca certificate to the client machine so that it could use it for verifying. These are self-signed certificates.

0 Kudos
15 Replies
lamw
Community Manager
Community Manager

Can you provide the exact command/syntax you're using to connect to either your ESX(i) or vCenter host? Where are you executing this from? vCLI on Windows/Linux or on vMA?

You should be doing something like the following (example using vMA 4.0):

[vi-admin@scofield ~]$ /usr/lib/vmware-vcli/apps/general/connect.pl --server himalaya.primp-industries.com --username root
Enter password:

Connection Successful
Server Time : 2009-08-18T02:44:38.533958Z

=========================================================================

William Lam

VMware vExpert 2009

VMware ESX/ESXi scripts and resources at:

VMware Code Central - Scripts/Sample code for Developers and Administrators

If you find this information useful, please award points for "correct" or "helpful".

0 Kudos
kef461
Contributor
Contributor

I am using the vMA? I am under the directory general and executing the connect.pl. I am getting the above errors that point back to a problem with the self-signed ceritificates. I have verified the certificates are good by openssl verify <cerificate nane>. I believe that it is a configuration error. Not sure how openssl works with self-signed cerificates on the client side.

0 Kudos
SMacK_Daddy
Contributor
Contributor

I am having the same issue with perl 5.12.3, compiled from source, installed in /usr/local on Mac OS X 10.6 (Snow Leopard).

$ sudo /usr/local/bin/perl /usr/local/bin/apps/general/connect.pl --server servername                                    

Enter username: xxxxxx
Enter password:
Server version unavailable at 'https://servername:443/sdk/vimService.wsdl' at /usr/local/lib/perl5/site_perl/5.12.3/VMware/VICommon.pm line 545, <STDIN> line 2.

$ curl -o -  https://servername:443/sdk/vimService.wsdl

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

More details here: http://curl.haxx.se/docs/sslcerts.html

...

$ curl -ko -  https://servername:443/sdk/vimService.wsdl

<?xml version="1.0" encoding="UTF-8" ?>

<!--

   Copyright 2005-2010 VMware, Inc.  All rights reserved.

-->

<definitions targetNamespace="urn:vim25Service"

   xmlns="http://schemas.xmlsoap.org/wsdl/"

   xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"

   xmlns:interface="urn:vim25"

>

   <import location="vim.wsdl" namespace="urn:vim25" />

   <service name="VimService">

      <port binding="interface:VimBinding" name="VimPort">

         <soap:address location="https://localhost/sdk/vimService" />

      </port>

   </service>

</definitions>

0 Kudos
stumpr
Virtuoso
Virtuoso

I believe I ran into this before on the forums, but when using OpenSSL with C++ and gSoap.

Basically the self signed cert on an ESX host does not include the self-create CA certificate, so a strict certificate check will fail (for example, if you were to extract the certificate and do an openssl verify).  However, this doesn't impede browsers and the SDK tool kits.

However, I am not seeing this issue with Perl 5.10.  That error is going to be from either LibXML or Crypt::SSLeay.  What versions of those are you running?  It may be a bug in either of the two (though I'm guessing it may be LibXML).

Reuben Stump | http://www.virtuin.com | @ReubenStump
0 Kudos
mikelinds
Contributor
Contributor

I'm seeing this issue with Perl 5.10

I definitely think that newer versions of Crypt::SSLeay are more restrictive about ssl certs.

Unfortunately, that seems to make it impossible to use any of the cli tools without running older perl modules.

0 Kudos
mikelinds
Contributor
Contributor

Crypt::SSLeay v0.85

0 Kudos
stumpr
Virtuoso
Virtuoso

So I double checked on my lab machine (OS 10.6.7)

Versions

Perl: 5.10.0

Crypt::SSLeay: 0.58

OpenSSL: 0.9.8l 5 Nov 2009

It's a fairly recent install of Snow Leopard.  The only modification I had to make was to remove arch ppc from "/System/Library/Perl/5.10.0/darwin-thread-multi-2level/Config_heavy.pl".  Looks like XCode 4 removed the assembler for ppc and it errored out when I tried to installed Crypt::SSLeay.

What I did differently is I download the Perl SDK.  I then copy the VMware/share/VMware/* modules and put them into /System/Library/Perl/5.10.0/VMware.

I then installed Crypt::SSLeay using CPAN.  I'm able to connect to vCenter and list out hosts in a test script.

There might be more going on than just the SSLeay module version.

Reuben Stump | http://www.virtuin.com | @ReubenStump
0 Kudos
mikelinds
Contributor
Contributor

Looks like I typoed my SSLeay version.

Full version list:

Perl 5.10.1

Crypt::SSLeay 0.58

OpenSSL 0.9.8k

FreeBSD 7.3

Could I get a copy of your test script, stumpr?  I'm still waiting on access privileges to our local VMA instance, and would like to try something that at least works for someone else.   I'm also waiting on my account getting some bits flipped, so I can file a support ticket about this (since vmware doesn't seem to follow the forums very well).

I did the VMWare perl modules using Makefile.PL.  Everything else is pkg_add or perl -MCPAN.

0 Kudos
stumpr
Virtuoso
Virtuoso

It's a simple script, it really shouldn't have any impact on the testing.  Any chance there is some network variable at cause, such as a https proxy?

use strict;

use warnings;

use VMware::VIRuntime;

Opts::parse();

Opts::validate();

Util::connect();

my $host_views = Vim::find_entity_views( view_type => "HostSystem", properties => [ 'name' ] );

foreach my $host ( @{$host_views} ) {

     print $host->name . "\n";

}

Util::disconnect();

Reuben Stump | http://www.virtuin.com | @ReubenStump
0 Kudos
mikelinds
Contributor
Contributor

I needed to add:

$ENV{SSL_verify_mode} = 0x00;

Near the top of my script.  After that, it's all working beautifully.

0 Kudos
RockT
Contributor
Contributor

I think I have found a more simple solution for this:

# export PERL_LWP_SSL_VERIFY_HOSTNAME=0

This disables SSL checks.

Regards,

Rainer

0 Kudos
Jogarem
Enthusiast
Enthusiast

Rainer wrote:

I think I have found a more simple solution for this:

# export PERL_LWP_SSL_VERIFY_HOSTNAME=0

@RockT:

THANKS THANKS THANKS !!!!!

You save my day!

Really!

That works like a charm 🙂

Thanks again!

Thomas

0 Kudos
RockT
Contributor
Contributor

You're welcome, Thomas. Smiley Happy

0 Kudos
FrankVanDamme
Contributor
Contributor

This is kinda insecure, isn't it 🙂

I'd prefer a method of saving the certificate locally and "trust" it (think firefox, IE, Chrome). So at least you know if it's been tampered with in transit.

0 Kudos
ObibiniKwasi
Enthusiast
Enthusiast

How can this be done on a Windows machine with vCLI?

0 Kudos