8 Replies Latest reply on Sep 22, 2020 2:30 PM by cypherx

    SRM 8.2 virtual appliance wont take certificate.

    cypherx Hot Shot

      vmware support was troubleshooting a vsphere replication issue and on my SRM HQ site they changed the virtual appliance to have a self signed certificate.  Now vcenter doesn't trust SRM and there are all kinds of errors in the pariing between SRMHQ and SRMDR.


      I'm trying to get the certificate back on so I generated a CSR and submitted it to our Windows CA.  I tried both DER and base 64 formats, but I just get a pop up error.  Any idea how to get a cert loaded?

       

      Specifying DER-encoded root and server certificate

      ERROR

      ERROR

      http://127.0.0.1:9286/sdk invocation failed with "com.vmware.vim.vmomi.core.exception.MarshallException: Unable to append text element 0‚ }0‚ e       

      ïK Ł;%8Ô

      ï0

        *†H†÷

          0G1 0 

      ’&‰“ò,d    com1 0 

      ’&‰“ò,d    domainname1 0   U    domainname-CA0 

      200914150924Z

      241029170132Z0€1 0   U    US1 0   U  

      California1 0   U    Palo Alto1 0   U

        Company Name 1 0   U    IT1 0   U    srmhq.domainname.com0‚ "0

        *†H†÷

           ‚  0‚

      ‚  ÆðÎy,Z$ÀGô¿¨§Å œþÛ~ mŒdš#ææðkÞ˜ «Cm¦^U]A_ú þ÷3/Òxi"Ìa7½ lœ8÷Éì VÕá

      ú8‚®yš.#ãq&ûÞo-‹ñ hK $!°V ?/õ/Ëo»/ð ŠTÐ×Û.Ÿ–5_ ‡ ¸–ÞŽ4äjÀa @]]º9i—¾tT¥ ÉtL±@E^;¼Wd.PШȞ¯.š)0&

      |y¹Ño „á 7Òað^ ¦lHdO uo>‹& ÿÌkæÌ»VÎ@3AÓ dÝLT¸Ã ±;@  gdì Œ; &M|HÃàm&Á Ø®pãŽ}´¢¾i Á ÚN“)    £‚ &0‚ "0   U       ð0+  U   $0"‚ srmhq.domainname.com‚ srmhq‡

        >0   U      –îë˜Â ³C `

      6…#4ò gæŸ0   U #  0 € Dß÷T£” ä Ã’‹³ · µ0‚    U   ú0÷0ô ñ î†³ldap:///CN=domainname-CA(1),CN=da,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainname,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint†6http://da.domainname.com/CertEnroll/domainname-CA(1).crl0‚    +        ‚  0‚  0  +     0 † ldap:///CN=domainname-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainname,DC=com?cACertificate?base?objectClass=certificationAuthority0S  +     0 †Ghttp://da.domainname.com/CertEnroll/da.domainname.com_domainname-CA(2).crt0=  +    ‚7   00. &+    ‚7  ƒ™÷J‡ûés†¹… ‡ûÍ>ƒº‚|zÆ±_©²6  d   0   U %  0   +         +       0'  +    ‚7

        0 0

        +       0

        +       0

        *†H†÷

           ‚  X:iR£Df®Ÿº Ð šË¹|¿‘ò<ÝX¥}(^uxhÁÔ³|tˆ©!Ç6o§ž3°ÕÍ“ð² oœ¯>ې㣠R %W•!àÕ©Ž @¡÷Ø  OÆÔ•|~Ò%ãO û  @̉ š›ä î EÞ$Ê=˜³ úôe´å‘Œã ¼y-Ú/äpkÂR(ýcÎ{œ{XC´²©Y^ ÈXcñ°a  ûœdÌÁ e Q E?›äTÇ:B°Â>‚ ›0›¡ëD¼Õ+ÂÙM–£[¦ø4F

      E®ÐõË ç·Ì XB¦è

      fÆHÚ6OÊ]ðãëÍÐD 3¿Ó-H%‰V‚³!?¢Ë–[| µ×D"

      Unable to append text element 0‚ }0‚ e       

      ïK Ł;%8Ô

      ï0

        *†H†÷

          0G1 0 

      ’&‰“ò,d    com1 0 

      ’&‰“ò,d    domainname1 0   U    domainname-CA0 

      200914150924Z

      241029170132Z0€1 0   U    US1 0   U  

      California1 0   U    Palo Alto1 0   U

        Company Name 1 0   U    IT1 0   U    srmhq.domainname.com0‚ "0

        *†H†÷

           ‚  0‚

      ‚  ÆðÎy,Z$ÀGô¿¨§Å œþÛ~ mŒdš#ææðkÞ˜ «Cm¦^U]A_ú þ÷3/Òxi"Ìa7½ lœ8÷Éì VÕá

      ú8‚®yš.#ãq&ûÞo-‹ñ hK $!°V ?/õ/Ëo»/ð ŠTÐ×Û.Ÿ–5_ ‡ ¸–ÞŽ4äjÀa @]]º9i—¾tT¥ ÉtL±@E^;¼Wd.PШȞ¯.š)0&

      |y¹Ño „á 7Òað^ ¦lHdO uo>‹& ÿÌkæÌ»VÎ@3AÓ dÝLT¸Ã ±;@  gdì Œ; &M|HÃàm&Á Ø®pãŽ}´¢¾i Á ÚN“)    £‚ &0‚ "0   U       ð0+  U   $0"‚ srmhq.domainname.com‚ srmhq‡

        >0   U      –îë˜Â ³C `

      6…#4ò gæŸ0   U #  0 € Dß÷T£” ä Ã’‹³ · µ0‚    U   ú0÷0ô ñ î†³ldap:///CN=domainname-CA(1),CN=da,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainname,DC=com?certificateRevocationList?base?objectClass=cRLDistributionPoint†6http://da.domainname.com/CertEnroll/domainname-CA(1).crl0‚    +        ‚  0‚  0  +     0 † ldap:///CN=domainname-CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domainname,DC=com?cACertificate?base?objectClass=certificationAuthority0S  +     0 †Ghttp://da.domainname.com/CertEnroll/da.domainname.com_domainname-CA(2).crt0=  +    ‚7   00. &+    ‚7  ƒ™÷J‡ûés†¹… ‡ûÍ>ƒº‚|zÆ±_©²6  d   0   U %  0   +         +       0'  +    ‚7

        0 0

        +       0

        +       0

        *†H†÷

           ‚  X:iR£Df®Ÿº Ð šË¹|¿‘ò<ÝX¥}(^uxhÁÔ³|tˆ©!Ç6o§ž3°ÕÍ“ð² oœ¯>ې㣠R %W•!àÕ©Ž @¡÷Ø  OÆÔ•|~Ò%ãO û  @̉ š›ä î EÞ$Ê=˜³ úôe´å‘Œã ¼y-Ú/äpkÂR(ýcÎ{œ{XC´²©Y^ ÈXcñ°a  ûœdÌÁ e Q E?›äTÇ:B°Â>‚ ›0›¡ëD¼Õ+ÂÙM–£[¦ø4F

      E®ÐõË ç·Ì XB¦è

      fÆHÚ6OÊ]ðãëÍÐD 3¿Ó-H%‰V‚³!?¢Ë–[| µ×D

      Invalid white space character (0x6) in text to output (in xml 1.1, could output as a character entity)

      Invalid white space character (0x6) in text to output (in xml 1.1, could output as a character entity)

      Operation ID: cd1edae0-8744-4fad-aed0-c67811f56ab8

       

       

       

      Operation ID: cd1edae0-8744-4fad-aed0-c67811f56ab8

       

      Specifying base 64 root and server certificate

      ERROR

      A specified parameter was not correct: certificate

      Operation ID: 807f9484-c20c-44ab-8430-3f1d87039bea

        • 1. Re: SRM 8.2 virtual appliance wont take certificate.
          ashilkrishnan Hot Shot
          VMware Employees

          Hi

           

          Please try the following:

           

          1. Upload the certificate chain to SRM appliance(Steps 1 to 6) -->  How to Set Up a Trusted Environment for the Site Recovery Manager Virtual Appliance

          2. Convert certificate to PKCS#12 format --> VMware Knowledge Base

          Note: openssl tool is available on SRM appliance by default. You can just run openssl instead of openssl.exe

           

          3. Run steps 7 and later once you have the certificate in PKCS#12 format.--> How to Set Up a Trusted Environment for the Site Recovery Manager Virtual Appliance

           

          Hope that helps

          • 2. Re: SRM 8.2 virtual appliance wont take certificate.
            cypherx Hot Shot

            I don't recall needing to do all of this when these virtual appliances were initially deployed. 

             

            The instructions are not very clear.  Step 4 says copy the certificates to /etc/ssl/certs.  Which certificates?  My domain root ca?  In what format?  My windows CA can export in base64 or DER encoded file. 

             

            Why can't this be just create the CSR in the web gui, paste that in the windows CA, and then download the certificate trust, and split out the root cert and the website cert and just place them in the two fields?  Every other SSL type hardware we have does it that way (HP iLO, Dell iDrac, printers, IIS webservers, and many many more).

            • 3. Re: SRM 8.2 virtual appliance wont take certificate.
              ashilkrishnan Hot Shot
              VMware Employees

              In step.4 you need to create a certificate chain by creating a pem file. Please refer this document for instructions -->How to Create a .pem File for SSL Certificate Installations

               

              Next step involves uploading SRM certificate  in PKCS #12 format. This is one of the requirements --> Requirements When Using Custom SSL/TLS Certificates with Site Recovery Manager

              • 4. Re: SRM 8.2 virtual appliance wont take certificate.
                cypherx Hot Shot

                Nope still doesn't work.

                 

                I went through all that roundabout trouble to get OpenSSL work through all of those steps one by one and still when you get to the web UI to take that .p12 file and supply the key that i created, it uploads and then this error message pops up in the lower right.  A ticket was opened with vmware but they are VERY slow to respond and have yet to help me so thats why I've taken this to the forum.  Thanks for your help and trying to assist, but I can't get it to work.

                 

                A general system error occurred: 30ConfigurationExceptionWithHost Received SOAP response fault from [<cs p:00007f1a24013ca0, TCP:dcuvcenter.domain.com:443>]: updateExtension lookup.fault.EntryNotFoundFault Host: dcuvcenter.domain.com Exit code: 9 [context]zKq7AVECAAQAALQ/4QAUZHJjb25maWcAAIvFGGxpYnZtYWNvcmUuc28AAaKLDGRyLWNvbmZpZ3VyYXRvcgABLn8MAS80DQJyDgJsaWJmdW5jdGlvbmFsLnNvAAM/NAZsaWJkci12bW9taS5zbwAEMisUbGlidm1vbWkuc28ABMYoFIW0KQoBbGlidmltLXR5cGVzLnNvAAaL2A1saWJ2Yy11dGlsLnNvAAbqLA0BS/sLAVFUCgHAXQoHSGUIbGliZHJjb25maWctdHlwZXMuc28AA7fTBQBRnikA/7opABo0NwiVdABsaWJwdGhyZWFkLnNvLjAA[/context] [backtrace begin] product: VMware vCenter Site Recovery Manager, version: 8.2.0, build: build-14761908, tag: drconfig, cpu: x86_64, os: linux, buildType: release backtrace[03] libvmacore.so[0x0018C58B]: Vmacore::Throwable::Throwable(std::string&&) backtrace[04] dr-configurator[0x000C8BA2] backtrace[05] dr-configurator[0x000C7F2E] backtrace[06] dr-configurator[0x000D342F] backtrace[07] libfunctional.so[0x00020E72]: Dr::ExceptionTranslatorListMixin::TranslateException(boost::shared_ptr<Dr::Connection::CisServiceEndpointInfo const> const&, Dr::ExceptionHolder const&) const backtrace[08] libdr-vmomi.so[0x0006343F] backtrace[09] libvmomi.so[0x00142B32]: Vmomi::StubImpl::_Invoke_Task(Vmomi::ManagedMethod*, std::vector<Vmacore::Ref<Vmomi::Any>, std::allocator<Vmacore::Ref<Vmomi::Any> > >&, Vmacore::Ref<Vmomi::Any>&) backtrace[10] libvmomi.so[0x001428C6]: Vmomi::StubImpl::_Invoke_Task(Vmomi::ManagedMethod*, std::vector<Vmacore::Ref<Vmomi::Any>, std::allocator<Vmacore::Ref<Vmomi::Any> > >&) backtrace[11] libvim-types.so[0x010A29B4]: Vim::ExtensionManagerStub::UpdateExtension(Vim::Extension*) backtrace[12] libvc-util.so[0x000DD88B]: Dr::Registrar::RegisterExtension(Dr::VcConnection*, Dr::AuthzConnection*, Vim::Extension*, bool, Vmacore::Service::Logger*) backtrace[13] libvc-util.so[0x000D2CEA]: LocalRegistrationManager::RegisterExtension(std::string const&, boost::optional<std::string> const&) backtrace[14] dr-configurator[0x000BFB4B] backtrace[15] dr-configurator[0x000A5451] backtrace[16] dr-configurator[0x000A5DC0] backtrace[17] libdrconfig-types.so[0x00086548] backtrace[18] libdr-vmomi.so[0x0005D3B7] backtrace[19] libvmacore.so[0x00299E51] backtrace[20] libvmacore.so[0x0029BAFF] backtrace[21] libvmacore.so[0x0037341A] backtrace[22] libpthread.so.0[0x00007495] [backtrace end] Caused by: (vmodl.fault.SystemError) faultCause = (vmodl.MethodFault) null, faultMessage = <unset>, reason = "Invalid fault" msg = "Received SOAP response fault from [<cs p:00007f1a24013ca0, TCP:dcuvcenter.domain.com:443>]: updateExtension lookup.fault.EntryNotFoundFault" [context]zKq7AVECAAQAALQ/4QAUZHJjb25maWcAAIvFGGxpYnZtYWNvcmUuc28AAb6gDmxpYnZtb21pLnNvAAHBih4BatQNAYwJEgGDDhICAzQGbGliZHItdm1vbWkuc28AATIrFAHGKBSDtCkKAWxpYnZpbS10eXBlcy5zbwAEi9gNbGlidmMtdXRpbC5zbwAE6iwNBUv7C2RyLWNvbmZpZ3VyYXRvcgAFUVQKBcBdCgZIZQhsaWJkcmNvbmZpZy10eXBlcy5zbwACt9MFAFGeKQD/uikAGjQ3[/context] [backtrace begin] product: VMware vCenter Site Recovery Manager, version: 8.2.0, build: build-14761908, tag: drconfig, cpu: x86_64, os: linux, buildType: release backtrace[03] libvmacore.so[0x0018C58B]: Vmacore::Throwable::Throwable(std::string&&) backtrace[04] libvmomi.so[0x000EA0BE] backtrace[05] libvmomi.so[0x001E8AC1]: Vmomi::Fault::SystemError::ThrowInternal() backtrace[06] libvmomi.so[0x000DD46A] backtrace[07] libvmomi.so[0x0012098C] backtrace[08] libvmomi.so[0x00120E83] backtrace[09] libdr-vmomi.so[0x00063403] backtrace[10] libvmomi.so[0x00142B32]: Vmomi::StubImpl::_Invoke_Task(Vmomi::ManagedMethod*, std::vector<Vmacore::Ref<Vmomi::Any>, std::allocator<Vmacore::Ref<Vmomi::Any> > >&, Vmacore::Ref<Vmomi::Any>&) backtrace[11] libvmomi.so[0x001428C6]: Vmomi::StubImpl::_Invoke_Task(Vmomi::ManagedMethod*, std::vector<Vmacore::Ref<Vmomi::Any>, std::allocator<Vmacore::Ref<Vmomi::Any> > >&) backtrace[12] libvim-types.so[0x010A29B4]: Vim::ExtensionManagerStub::UpdateExtension(Vim::Extension*) backtrace[13] libvc-util.so[0x000DD88B]: Dr::Registrar::RegisterExtension(Dr::VcConnection*, Dr::AuthzConnection*, Vim::Extension*, bool, Vmacore::Service::Logger*) backtrace[14] libvc-util.so[0x000D2CEA]: LocalRegistrationManager::RegisterExtension(std::string const&, boost::optional<std::string> const&) backtrace[15] dr-configurator[0x000BFB4B] backtrace[16] dr-configurator[0x000A5451] backtrace[17] dr-configurator[0x000A5DC0] backtrace[18] libdrconfig-types.so[0x00086548] backtrace[19] libdr-vmomi.so[0x0005D3B7] backtrace[20] libvmacore.so[0x00299E51] backtrace[21] libvmacore.so[0x0029BAFF] backtrace[22] libvmacore.so[0x0037341A] [backtrace end] A general system error occurred: Invalid fault

                Operation ID: cc657daf-80de-41b9-a9b9-95c83e9193c1

                • 5. Re: SRM 8.2 virtual appliance wont take certificate.
                  ashilkrishnan Hot Shot
                  VMware Employees

                  It's returning error: lookup.fault.EntryNotFoundFault Host: dcuvcenter.domain.com

                   

                  Please check if SRM can resolve vCenter address

                   

                   

                   

                  • 6. Re: SRM 8.2 virtual appliance wont take certificate.
                    cypherx Hot Shot

                    yes, I SSH to the srmhq virtual appliance and I ran the ping command by name and it returns the correct IP address with a good ping.

                    • 7. Re: SRM 8.2 virtual appliance wont take certificate.
                      ashilkrishnan Hot Shot
                      VMware Employees

                      Is it possible for you to share SRM config logs from /var/log/vmware/drconfig ?

                      • 8. Re: SRM 8.2 virtual appliance wont take certificate.
                        cypherx Hot Shot

                        I have a case open and I exported the log bundle for them.  That drconfig log file is almost 7 megs.  Quite a bit to sanitize.  Let me see what support comes up with.