VMware Cloud Community
vyujs
Enthusiast
Enthusiast
‎07-13-2015 12:58 AM

"untrusted certificate" Exception when login into vRealize Automation console of vCAC appliance

Hi,

Thanks in advance if anyone could help

Enviroment:

vCAC appliance server: VMware-vCAC-Appliance-6.2.0.0-2330392_OVF10.ova

Identity Appliance:SSO installed with VMware-VIMSetup-all-5.5.0-2442328-20150101-update02(we want to leverage SSO installed with vCenter as Identity Appliance so we didnt download and install the standalone Identity Appliance)

Deployed and configed vCAC server following “vrealize-automation-62-installation-and-configuration.pdf using Minimal Deployment Method, however, when login into vRealize Automation console webpage(https://vcac.j.k.l/vcac), after providing username/passowrd, we got the following error:

pastedImage_0.png

(The error code changes(ie. is different every time)

Checked in VMware vRealize Automation Appliance management, SSO connected successfully.

pastedImage_3.png

Looking into /var/log/vcac/catalone.out we got the following message:

2015-07-01 02:02:09,035 vcac: [component="cafe:shell" priority="WARN" thread="tomcat-http--49" tenant="vsphere.local"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:43 - Untrusted certificate with serial number: [10051561767222306305] and thumbprint: [93:46:75:A5:44:05:09:B2:46:46:C9:5B:52:44:C5:25:CC:EF:92:1E]

2015-07-01 02:02:09,036 vcac: [component="cafe:shell" priority="WARN" thread="tomcat-http--49" tenant="vsphere.local"] com.vmware.vcac.authentication.http.SamlLogoutRequestor.doSendLogoutRequest:107 - Cannot logout principal: [Administrator@VSPHERE.LOCAL] from SSO Server.

org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://10.240.252.178/websso/SAML2/SLO/vsphere.local?SAMLRequest=nZJNb9sgGMe%2FisU9YLBxYhS7i5ZWi%2B...........

at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:557)

at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:517)

...

Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted certificate chain.

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)

Caused by: java.security.cert.CertificateException: Untrusted certificate chain.

at com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted(CafeAbstractTrustManager.java:46)

...

Looking into webpage of , we found the certificate in question is the vCAC servers certificate(thumbprint in the log and in SSL configuration of VMware vRealize Automation Appliance management webpage is the same):

pastedImage_6.png

So, we suspect this exception is caused by SSO not recognize vCAC appliance servers certificate when SSO trying authenticating vCAC server? If yes, how to add vCAC appliances certificate into SSO server? If not ,any advice on this will be appreciated!

Thanks in advance!

Tags (1)
Reply
0 Kudos
5 Replies
vyujs
Enthusiast
Enthusiast
‎07-13-2015 06:56 PM

It would be really appreciated that any one can help??:smileyplain:

Reply
0 Kudos
vyujs
Enthusiast
Enthusiast
‎07-14-2015 09:52 PM

to summarize the question, does anyone know how to add vCAC server certificate to SSO(ie. let the SSO server which installed with vCenter server trust vCAC server's certificate)?

Thanks a lot

Reply
0 Kudos
GrantOrchardVMw
Commander
Commander
‎07-17-2015 05:46 AM

This isn't a cert issue. It's a time sync issue. Validate that all components (vRA/SSO/IaaS) are using the same time source, and that the hosts they run on have consistent time.

Grant

Grant http://grantorchard.com
Reply
0 Kudos
diegoazevedo
Contributor
Contributor
‎08-31-2015 06:48 PM

Hi,

I was getting a similar error when trying to setup vCloud Usage Meter to collect and report data back to VMware as part of vCloud Air Network. After reading your post, I realized I had configured the vCloud Usage Meter appliance with the wrong timezone. Connections to vCenter servers were fine from the appliance, the only issue was with getting data from vROPs 6. After having the proper timezone in place, the error went away.

Thanks for that!

Reply
0 Kudos
nubronco
Enthusiast
Enthusiast
‎03-03-2016 12:03 PM

This is an old post but I found it when I was receiving the 'untrusted certificate' error also. I ended up opening a support ticket and they pointed me to this KB and it fixed my issue. Problem was someone else replaced the external SSO server's cert that vCAC was using. Had to do the steps in the KB to get the SSO cert trusted again. I would recommend copying and pasting the steps into notepad or something put your fqdn's in and then copy to command prompt... I had to do this twice as I typo'ed 2 lines.

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=21102...

Reply
0 Kudos