VMware Cloud Community
DLally
Enthusiast
Enthusiast
‎11-04-2014 05:39 AM

shell-ui-app failing - untrusted certificate chain

We're going through and setting up a distributed environment with load balanced vCAC appliances, IaaS, etc.  We're having issues right away with the load balanced vCAC Appliances.  I've setup a shared certificate with all the proper SAN's, including the load balanced name and it imports successfully.  However when I restart and services start coming up I'm getting untrusted certificate chain errors.  It takes forever since it looks like it retries like 45 times until it fails out. 

These are the errors that basically cycle back through over and over until it fails from the catalina.out log

4-11-03 14:30:12,813 vcac: [component="cafe:shell" priority="WARN" thread="org.springframework.scheduling.config.TaskExecutorFactoryBean#c033598-1" tenant=""] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:41 - Untrusted certificate chain:

2014-11-03 14:30:12,814 vcac: [component="cafe:shell" priority="WARN" thread="org.springframework.scheduling.config.TaskExecutorFactoryBean#c033598-1" tenant=""] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:43 - Untrusted certificate with serial number: [xxx] and thumbprint: [xxx]

2014-11-03 14:30:12,814 vcac: [component="cafe:shell" priority="WARN" thread="org.springframework.scheduling.config.TaskExecutorFactoryBean#c033598-1" tenant=""] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:43 - Untrusted certificate with serial number: [xxx] and thumbprint: [xxx]

2014-11-03 14:30:12,814 vcac: [component="cafe:shell" priority="WARN" thread="org.springframework.scheduling.config.TaskExecutorFactoryBean#c033598-1" tenant=""] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:43 - Untrusted certificate with serial number: [xxx] and thumbprint: [xxx]

2014-11-03 14:30:12,815 vcac: [component="cafe:shell" priority="WARN" thread="org.springframework.scheduling.config.TaskExecutorFactoryBean#c033598-1" tenant=""] com.vmware.vcac.platform.rest.client.support.RetriableOperation.call:74 - Exception handled during retry operation with message: I/O error on GET request for "https://xxx.com/identity/api/status":java.security.cert.CertificateException: Untrusted certificate chain.; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted certificate chain.

2014-11-03 14:30:12,815 vcac: [component="cafe:shell" priority="INFO" thread="org.springframework.scheduling.config.TaskExecutorFactoryBean#c033598-1" tenant=""] com.vmware.vcac.platform.rest.client.support.RetriableOperation.call:76 - Retries left: [45]. Sleeping for [20] seconds before the next retry attempt.

I've been using this blog as a templateon how to create my certificates, this worked before in 6.0.1 replacing after we had built them out using self signed. 

grantorchard.comReplacing vCAC 6.0 Appliance Certificates | grantorchard.com

I'm curious how to create the pem with using a root and an intermediate root, since i've only see info about using the root only. 

0 Kudos
2 Replies
qc4vmware
Virtuoso
Virtuoso
‎11-04-2014 09:21 AM

Is it just the shell-ui-app service that fails or do the majority of the services fail?

0 Kudos
DLally
Enthusiast
Enthusiast
‎11-04-2014 01:07 PM

Just shell-ui-app is failing.  I was able to get it to connect to an external windows postgres DB, and get past the untrusted certificate chain errors but shell-ui-app is still failing.

0 Kudos