3 Replies Latest reply on Aug 9, 2016 7:39 AM by Zewwy

    SSL-Updater tool Vmware 5.5 error

    TrekTrek12345 Lurker

      Hi,

       

      Im getting an error when using the ssl-updater.bat (for 5.5) trying to update the SSO certificate.  I have created a V3 root cert using OpenSSL (after finding out V1 certs are not supported) and signed each of the CSR's that I generated using the tool, with the rootCa.workgroup cert.  I've created the pem chain for the SSO certificate and have attempted to replace, but the import fails with (in the cmd window)'The Service is not installed on that machine' and gives the output in the log below.   The certificate is valid in my MMC and the root is in the Trusted root store.

       

      Any ideas? Stumped at step one of the plan......

      Thanks

      Nick

       

      2015-07-21T16:57:32.278+0100 [execution] INFO  TOOL START

      2015-07-21T16:57:33.001+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] INFO  Loading private key file C:\certs\requests\vCenterSSO-VirtualCenter\rui.key

      2015-07-21T16:57:33.106+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] INFO  Loading certificate chain file C:\certs\requests\vCenterSSO-VirtualCenter\rui.pem

      2015-07-21T16:57:33.175+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] INFO  Loaded X.509 certificate for Subject: CN=VirtualCenter.WORKGROUP, OU=vCenterSSO-VirtualCenter, O=QuickFixPC Limited, L=Southampton, ST=Hampshire, C=GB

      2015-07-21T16:57:33.178+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] INFO  Loaded X.509 certificate for Subject: CN=RootCA.WORKGROUP, OU=vCenterRoot, O=QuickFixPC Limited, L=Southampton, ST=Hampshire, C=GB

      2015-07-21T16:57:33.179+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] INFO  Successfully loaded 2 certificate(s) from the chain file.

      2015-07-21T16:57:33.277+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] INFO  The effective SSL certificate chain is:

      2015-07-21T16:57:33.281+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] INFO     [0] CN=VirtualCenter.WORKGROUP, OU=vCenterSSO-VirtualCenter, O=QuickFixPC Limited, L=Southampton, ST=Hampshire, C=GB

      2015-07-21T16:57:33.281+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] INFO     [1] CN=RootCA.WORKGROUP, OU=vCenterRoot, O=QuickFixPC Limited, L=Southampton, ST=Hampshire, C=GB

      2015-07-21T16:57:33.288+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] INFO  Checking certificates validity period.

      2015-07-21T16:57:33.308+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] INFO  Checking leaf certificate's suitability for the current machine.

      2015-07-21T16:57:33.324+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] DEBUG Machine's FQHN: VirtualCenter.WORKGROUP

      2015-07-21T16:57:33.328+0100 [c.v.s.c.c.i.DNSResolver] DEBUG DNS validation: resolving DNS for VirtualCenter.WORKGROUP (A/CNAME)

      2015-07-21T16:57:33.394+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] DEBUG Machine has a resolvable hostname: VirtualCenter.WORKGROUP

      2015-07-21T16:57:33.416+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] DEBUG Checking if leaf certificate is suitable for candidate address VirtualCenter.WORKGROUP.

      2015-07-21T16:57:33.422+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] DEBUG Leaf certificate is suitable for VirtualCenter.WORKGROUP

      2015-07-21T16:57:33.423+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] INFO  Checking the certificates key lengths.

      2015-07-21T16:57:33.432+0100 [c.v.s.c.c.i.ServerSslConfigFactoryImpl] DEBUG Checking certificates signature algortihm types.

      2015-07-21T16:57:33.462+0100 [execution] INFO  BEGIN UPDATE

      2015-07-21T16:57:33.540+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  Beginning certificate replacement procedure for Single Sign-On.

      2015-07-21T16:57:33.541+0100 [c.v.s.c.ConfigureWindowsSslCommand] DEBUG Checking if vCenter Single Sign-On service is running.

      2015-07-21T16:57:33.700+0100 [c.v.s.c.c.i.RollbackSupportImpl] INFO  The existing configuration will be backed up to C:\certs\backup\sso-ssl-updater.backup

      2015-07-21T16:57:33.742+0100 [c.v.s.c.c.i.RollbackSupportImpl] INFO  The backup directory `sso-ssl-updater.backup' did already exist and was moved to `sso-ssl-updater.backup.4'

      2015-07-21T16:57:33.744+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  Checking the password of administrator user Administrator.

      2015-07-21T16:57:33.744+0100 [c.v.s.c.ConfigureWindowsSslCommand] DEBUG Checking if vCenter Single Sign-On service is running.

      2015-07-21T16:57:33.747+0100 [c.v.s.c.c.i.ServerToolsImpl] INFO  Creating remote Lookup Service tools with host 127.0.0.1 and port 7080

      2015-07-21T16:57:33.758+0100 [c.v.s.c.c.i.ServerToolsImpl] DEBUG Trying to connect to Lookup Service at http://127.0.0.1:7080/lookupservice/sdk

      2015-07-21T16:57:34.112+0100 [c.v.v.i.i.LookupServiceAccess] DEBUG Creating VMODL client for LookupService

      2015-07-21T16:57:34.778+0100 [c.v.v.i.i.AdminServiceAccess] DEBUG Creating client for SSO Admin on address: http://127.0.0.1:7080/sso-adminserver/sdk/vsphere.local

      2015-07-21T16:57:35.584+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  ******* WARNING ****** WARNING ****** WARNING *******

      2015-07-21T16:57:35.584+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  Possible remote API mismatch detected. Operation will continue, but errors are likely.

      2015-07-21T16:57:35.584+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  ******* WARNING ****** WARNING ****** WARNING *******

      2015-07-21T16:57:35.846+0100 [c.v.v.s.c.SecurityTokenServiceConfig$ConnectionConfig] WARN  This configuration will establish untrusted connection with the STS server.It is acceptable for developing purposes only!

      2015-07-21T16:57:38.783+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  ******* WARNING ****** WARNING ****** WARNING *******

      2015-07-21T16:57:38.783+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  Possible remote API mismatch detected. Operation will continue, but errors are likely.

      2015-07-21T16:57:38.783+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  ******* WARNING ****** WARNING ****** WARNING *******

      2015-07-21T16:57:38.798+0100 [c.v.s.c.ConfigureWindowsSslCommand] DEBUG Checking if vCenter Single Sign-On service is running.

      2015-07-21T16:57:38.800+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  The vCenter Single Sign-On service is currently running but it must be stopped in order to perform a portion of the SSL certificate update operation.

      2015-07-21T16:57:38.800+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  Stopping the vCenter Single Sign-On service.

      2015-07-21T16:57:38.804+0100 [c.v.s.c.c.i.ServiceControlImpl] INFO  Waiting for service VMwareSTS to stop, 15 seconds.

      2015-07-21T16:57:41.811+0100 [c.v.s.c.c.i.ServiceControlImpl] INFO  Service did stop successfully.

      2015-07-21T16:57:41.811+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  Updating service container configuration

      2015-07-21T16:57:41.811+0100 [c.v.s.c.ConfigureWindowsSslCommand] DEBUG Updating STS Files

      2015-07-21T16:57:41.811+0100 [c.v.s.c.c.i.RollbackSupportImpl] DEBUG Backing up (move) file C:\ProgramData\VMware\cis\runtime\VMwareSTS\conf\ssoserver.crt to C:\certs\backup\sso-ssl-updater.backup

      2015-07-21T16:57:41.811+0100 [c.v.s.c.c.i.RollbackSupportImpl] DEBUG Backing up (move) file C:\ProgramData\VMware\cis\runtime\VMwareSTS\conf\ssoserver.p12 to C:\certs\backup\sso-ssl-updater.backup

      2015-07-21T16:57:41.811+0100 [c.v.s.c.ConfigureWindowsSslCommand] DEBUG Writing the sso SSL certificate in C:\ProgramData\VMware\cis\runtime\VMwareSTS\conf\ssoserver.crt

      2015-07-21T16:57:41.811+0100 [c.v.s.c.ConfigureWindowsSslCommand] DEBUG Writing the sso SSL certificate and private key in C:\ProgramData\VMware\cis\runtime\VMwareSTS\conf\ssoserver.p12

      2015-07-21T16:57:41.905+0100 [c.v.s.c.ConfigureWindowsSslCommand] TRACE In updateLsIfCan

      2015-07-21T16:57:41.905+0100 [c.v.s.c.ConfigureWindowsSslCommand] DEBUG Checking if vCenter Single Sign-On service is running.

      2015-07-21T16:57:41.905+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  The vCenter Single Sign-On service is not currently running but it must be started in order to perform a portion of the SSL certificate update operation.

      2015-07-21T16:57:41.905+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  Starting the vCenter Single Sign-On service.

      2015-07-21T16:57:41.920+0100 [c.v.s.c.c.i.ServiceControlImpl] INFO  Waiting for service VMwareSTS to start, 15 seconds.

      2015-07-21T16:57:44.952+0100 [c.v.s.c.c.i.ServiceControlImpl] INFO  Service did start successfully.

      2015-07-21T16:57:44.952+0100 [c.v.s.c.c.i.ServerToolsImpl] INFO  Creating remote Lookup Service tools with host 127.0.0.1 and port 7080

      2015-07-21T16:57:44.952+0100 [c.v.s.c.c.i.ServerToolsImpl] DEBUG Trying to connect to Lookup Service at http://127.0.0.1:7080/lookupservice/sdk

      2015-07-21T16:57:44.952+0100 [c.v.v.i.i.LookupServiceAccess] DEBUG Creating VMODL client for LookupService

      2015-07-21T16:58:26.683+0100 [c.v.v.i.i.AdminServiceAccess] DEBUG Creating client for SSO Admin on address: http://127.0.0.1:7080/sso-adminserver/sdk/vsphere.local

      2015-07-21T16:58:27.359+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  ******* WARNING ****** WARNING ****** WARNING *******

      2015-07-21T16:58:27.360+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  Possible remote API mismatch detected. Operation will continue, but errors are likely.

      2015-07-21T16:58:27.360+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  ******* WARNING ****** WARNING ****** WARNING *******

      2015-07-21T16:58:27.616+0100 [c.v.v.s.c.SecurityTokenServiceConfig$ConnectionConfig] WARN  This configuration will establish untrusted connection with the STS server.It is acceptable for developing purposes only!

      2015-07-21T16:58:30.549+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  ******* WARNING ****** WARNING ****** WARNING *******

      2015-07-21T16:58:30.549+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  Possible remote API mismatch detected. Operation will continue, but errors are likely.

      2015-07-21T16:58:30.549+0100 [c.v.v.s.a.c.v.i.AbstractClient] WARN  ******* WARNING ****** WARNING ****** WARNING *******

      2015-07-21T16:58:30.550+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  Updating the SSO endpoints in the Lookup Service.

      2015-07-21T16:58:30.565+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  This is Single Sign-On single-node install. All Single Sign-On endpoints are served from this node.

      2015-07-21T16:58:31.155+0100 [c.v.s.c.c.i.LookupServiceToolsRemoteImpl] DEBUG Updating the Lookup Service record for the Security Token Service

      2015-07-21T16:58:31.958+0100 [c.v.s.c.ConfigureWindowsSslCommand] DEBUG Checking if vCenter Single Sign-On service is running.

      2015-07-21T16:58:31.969+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  The vCenter Single Sign-On service is currently running but it must be stopped in order to undo a portion of the SSL certificate update operation.

      2015-07-21T16:58:31.969+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  Stopping the vCenter Single Sign-On service.

      2015-07-21T16:58:32.026+0100 [c.v.s.c.c.i.ServiceControlImpl] INFO  Waiting for service VMwareSTS to stop, 15 seconds.

      2015-07-21T16:58:35.041+0100 [c.v.s.c.c.i.ServiceControlImpl] INFO  Service did stop successfully.

      2015-07-21T16:58:35.041+0100 [c.v.s.c.c.i.RollbackSupportImpl] DEBUG File C:\ProgramData\VMware\cis\runtime\VMwareSTS\conf\ssoserver.crt successfully restored from sso-ssl-updater.backup\ssoserver.crt

      2015-07-21T16:58:35.041+0100 [c.v.s.c.c.i.RollbackSupportImpl] DEBUG File C:\ProgramData\VMware\cis\runtime\VMwareSTS\conf\ssoserver.p12 successfully restored from sso-ssl-updater.backup\ssoserver.p12

      2015-07-21T16:58:35.041+0100 [c.v.s.c.ConfigureWindowsSslCommand] ERROR An error ocurred during the certificate replacement procedure:null

      2015-07-21T16:58:35.041+0100 [c.v.s.c.ConfigureWindowsSslCommand] DEBUG

      com.vmware.vim.binding.vmodl.fault.SecurityError: null

      at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[na:1.7.0_76]

      at sun.reflect.NativeConstructorAccessorImpl.newInstance(Unknown Source) ~[na:1.7.0_76]

      at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source) ~[na:1.7.0_76]

      at java.lang.reflect.Constructor.newInstance(Unknown Source) ~[na:1.7.0_76]

      at java.lang.Class.newInstance(Unknown Source) ~[na:1.7.0_76]

      at com.vmware.vim.vmomi.core.types.impl.ComplexTypeImpl.newInstance(ComplexTypeImpl.java:171) ~[vlsi-core.jar:na]

      at com.vmware.vim.vmomi.core.types.impl.DefaultDataObjectFactory.newDataObject(DefaultDataObjectFactory.java:26) ~[vlsi-core.jar:na]

      at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.ComplexStackContext.<init>(ComplexStackContext.java:33) ~[vlsi-core.jar:na]

      at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl$UnmarshallSoapFaultContext.parse(UnmarshallerImpl.java:135) ~[vlsi-core.jar:na]

      at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl$UnmarshallSoapFaultContext.unmarshall(UnmarshallerImpl.java:98) ~[vlsi-core.jar:na]

      at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl.unmarshalSoapFault(UnmarshallerImpl.java:84) ~[vlsi-core.jar:na]

      at com.vmware.vim.vmomi.client.common.impl.SoapFaultStackContext.setValue(SoapFaultStackContext.java:37) ~[vlsi-client.jar:na]

      at com.vmware.vim.vmomi.client.common.impl.ResponseUnmarshaller.unmarshal(ResponseUnmarshaller.java:97) ~[vlsi-client.jar:na]

      at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.unmarshalResponse(ResponseImpl.java:245) ~[vlsi-client.jar:na]

      at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setResponse(ResponseImpl.java:203) ~[vlsi-client.jar:na]

      at com.vmware.vim.vmomi.client.http.impl.HttpExchange.run(HttpExchange.java:126) ~[vlsi-client.jar:na]

      at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingImpl.send(HttpProtocolBindingImpl.java:98) ~[vlsi-client.jar:na]

      at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.sendCall(MethodInvocationHandlerImpl.java:533) ~[vlsi-client.jar:na]

      at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.executeCall(MethodInvocationHandlerImpl.java:514) ~[vlsi-client.jar:na]

      at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.completeCall(MethodInvocationHandlerImpl.java:302) ~[vlsi-client.jar:na]

      at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invokeOperation(MethodInvocationHandlerImpl.java:272) ~[vlsi-client.jar:na]

      at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invoke(MethodInvocationHandlerImpl.java:169) ~[vlsi-client.jar:na]

      at com.sun.proxy.$Proxy32.updateService(Unknown Source) ~[na:na]

      at com.vmware.sso.cfg.components.impl.LookupServiceToolsRemoteImpl.updateService(LookupServiceToolsRemoteImpl.java:242) ~[sso-updater.jar:na]

      at com.vmware.sso.cfg.components.impl.LookupServiceToolsRemoteImpl.rollbackSsoRecords(LookupServiceToolsRemoteImpl.java:119) ~[sso-updater.jar:na]

      at com.vmware.sso.cfg.ConfigureWindowsSslCommand.undoLsChanges(ConfigureWindowsSslCommand.java:340) ~[sso-updater.jar:na]

      at com.vmware.sso.cfg.ConfigureWindowsSslCommand.updateLsIfCan(ConfigureWindowsSslCommand.java:186) ~[sso-updater.jar:na]

      at com.vmware.sso.cfg.ConfigureWindowsSslCommand.updateSsoIfCan(ConfigureWindowsSslCommand.java:171) ~[sso-updater.jar:na]

      at com.vmware.sso.cfg.ConfigureWindowsSslCommand.execute(ConfigureWindowsSslCommand.java:128) ~[sso-updater.jar:na]

      at com.vmware.sso.cfg.ConfigureWindowsSslCommand$execute.call(Unknown Source) [sso-updater.jar:na]

      at org.codehaus.groovy.runtime.callsite.CallSiteArray.defaultCall(CallSiteArray.java:42) [groovy-all-1.8.8.jar:1.8.8]

      at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:108) [groovy-all-1.8.8.jar:1.8.8]

      at org.codehaus.groovy.runtime.callsite.AbstractCallSite.call(AbstractCallSite.java:116) [groovy-all-1.8.8.jar:1.8.8]

      at com.vmware.sso.cfg.SsoUpdaterMain.main(SsoUpdaterMain.groovy:67) [sso-updater.jar:na]

      2015-07-21T16:58:35.041+0100 [c.v.s.c.ConfigureWindowsSslCommand] DEBUG Checking if vCenter Single Sign-On service is running.

      2015-07-21T16:58:35.041+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  The vCenter Single Sign-On service is not currently running but it was in the beginning. Starting it.

      2015-07-21T16:58:35.056+0100 [c.v.s.c.ConfigureWindowsSslCommand] INFO  Starting the vCenter Single Sign-On service.

      2015-07-21T16:58:35.181+0100 [c.v.s.c.c.i.ServiceControlImpl] INFO  Waiting for service VMwareSTS to start, 15 seconds.

      2015-07-21T16:58:38.212+0100 [c.v.s.c.c.i.ServiceControlImpl] INFO  Service did start successfully.

      2015-07-21T16:58:38.212+0100 [execution] INFO  TOOL END with status code = 2

        • 1. Re: SSL-Updater tool Vmware 5.5 error
          walbrown Lurker

          Hi,

           

          I'm seeing exactly the same error, did you get anywhere with this problem?

           

          Thanks,
          Wally

          • 2. Re: SSL-Updater tool Vmware 5.5 error
            RoyJK Lurker

            Hello,

             

            I've just hit exactly the same problem. Did either of you happen to find a fix for this?

             

            Would really,really appreciate knowing the cause if you did fix it.

             

            Thanks in advance,

             

            Roy

            • 3. Re: SSL-Updater tool Vmware 5.5 error
              Zewwy Novice

              I had to renew my internal based certificates, as I follow best practice and don't use self sign certs. The Funny part is we've set up so much alerting now here to be proactive vs reactive. So when I got in on Monday after a couple failed backup jobs, I discovered that the account i had setup couldn't login into vCenter, and neither could I. Even though everything showed green on my monitoring board. Turns out all errors were telling me my certificates had expired (Doh! I don't have monitoring for the certs on these!)

               

              Quickly reading my setup documentation, I hit the same snag here, and called support.. turns out I had nested another folder in this one labeled SSLtool5.5. Which turned out to have the same scripts but updated?

               

              Not exactly sure, turns out this one worked fine. I attempted to find a direct link to the latest version of the tool on VMware download page, I finally did find it under the specific vCenter instance, I guess they have a set version of the tool for each specific releases of vCenter, including specific updates.. I got the from the 3e update list of vcenter (direct link)

               

              I'd suggest trying to grab the latest version of the tool if you can. Renewing SSL certificates was the most painful thing ever in vCenter 5.5, 24+ Steps and you hit this wall in step 5 a.

               

              As I mentioned I got lucky and happened to have another version of the tool I placed in a 5.5 folder. Sorry I didn't provide a MD5 hash but I'm not sure how many iterations of this script they have (It is a batch script after-all, Where's the powershell at?)