Hi,
I`am getting the following error when the sample client application tries to connect VCenter.
I have copied the "rui.crt" file from VCenter (C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL) to the client machine. The client is linux box. I tried after re-generating the certificates at VCenter, but the error persists. Used the following link to regenrate the certs.
SOAP 1.1 fault: SOAP-ENV:Client
"SSL_ERROR_SSL
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed"
Detail: SSL_connect error in tcp_connect()
The same code works perfectly when connecting to ESX host using ESX hosts certificate.
Thanks,
--Praveen
Praveen,
This looks similar to this issue. It looks like the rui.crt uses an intermediate certificate. I did an openssl verify on the rui.crt from my vCenter 4.0 installation.
I suspect VMware used the same logic to generate the vCenter certificate as was used on the host. I'm not sure you can retrieve the intermediate certificate, however, I'll have to look through the vCenter installation to see if its somewhere accessible.
You can probably resolve this issue by generating your own self-signed certificate.
Essentially the intermediate certificate isn't in the rui.crt file and the strict checking of the openssl library is preventing your connection.
stumpr.
Hi Stumpr,
I triend the details mentioned by you in the other thread, by modifying the /sbin/generate-certificate.sh script.
After doing that i`am getting the same error. I`am trying to connect to ESX 4.0 host.
ON ESX 4.0 HOST
-
# openssl verify /etc/vmware/ssl/rui.crt.new
/etc/vmware/ssl/rui.crt.new: /O=VMware Installer
error 18 at 0 depth lookup:self signed certificate
OK
ON LINUX BOX from where i`am trying to run the client application.
# openssl verify /certs/esx40/rui.crt.new
/certs/esx40/rui.crt.new: /O=VMware Installer
error 18 at 0 depth lookup:self signed certificate
/O=VMware Installer
error 9 at 0 depth lookup:certificate is not yet valid
Could you please suggest what is going wrong? Is this beacuse of the libssl version?
Thanks,
--Praveen
error 9 at 0 depth lookup:certificate is not yet valid
This is a different type of error. Check the dates on the certificate, any chance you created it ahead of the actual clock on the ESX host?
Thanks stumpr!
yes, the date of the machine was an issue.
For VC i generated the certificate and it worked.