1 Reply Latest reply on Oct 5, 2020 3:25 AM by jburen

    Unable to replace SSL certificate

    jburen Hot Shot
    vExpert

      I installed vRealize Operations Manager 8.1 and tried to change the SSL certificate. I worked through VMware Knowledge Base but when I select the PEM file I get an error: Operation Failed. If the error persists contact VMware support.

       

      I checked the PEM file with openssl and everything seems ok. In the casa.log I see this:

       

      2020-10-05T12:01:54,157 [ee0005E1] [ajp-nio-127.0.0.1-8011-exec-6] INFO support.subprocess.GeneralCommand support.subprocess.GeneralCommand:255 - Command '/usr/lib/vmware-python-3/bin/python /usr/lib/vmware-casa/bin/vropsCertificateTool.py -i /storage/db/tmp/uploaded_cert.tmp --no_describe --json --level NONE' threw exception: CommandLineExitException: key=general.failure; args=1,Traceback (most recent call last):

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 470, in _parse

        self._parsed_object = Certificate(self.pem_data)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 167, in __init__

        self._certificate_data = self.load_certificate(self._pem_data)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 299, in load_certificate

        return OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, pem_data)

        File "/usr/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1825, in load_certificate

        _raise_current_error()

        File "/usr/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue

        raise exception_type(errors)

      OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')]

       

      During handling of the above exception, another exception occurred:

       

      Traceback (most recent call last):

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1583, in <module>

        sys.exit(main(sys.argv))

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1531, in main

        certificate_file = CertificateFile(input_files, fix=options.get('fix'))

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 632, in __init__

        self._parse_file(source_file)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 756, in _parse_file

        self._parse_buffer(f)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 713, in _parse_buffer

        section = Section(description, current_section, self._fixing)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 412, in __init__

        self._parse(fixing)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 474, in _parse

        cert_store = CertificateStore(self.pem_data)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 550, in __init__

        self._parse(pem_data)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 562, in _parse

        result = run_script([get_openssl_command(), 'pkcs7', '-print_certs'], stdin=pem_data)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1275, in run_script

        (process_stdout, process_stderr) = process_pipe.communicate(stdin)

        File "/usr/lib/python3.7/subprocess.py", line 964, in communicate

        stdout, stderr = self._communicate(input, endtime, timeout)

        File "/usr/lib/python3.7/subprocess.py", line 1695, in _communicate

        input_view = memoryview(self._input)

      TypeError: memoryview: a bytes-like object is required, not 'str'

      ; cause=

      2020-10-05T12:01:54,158 [ee0005E1] [ajp-nio-127.0.0.1-8011-exec-6] ERROR casa.security.SecurityService casa.security.SecurityService:1395 - Unexpected error during validateCertificate script execution: Traceback (most recent call last):

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 470, in _parse

        self._parsed_object = Certificate(self.pem_data)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 167, in __init__

        self._certificate_data = self.load_certificate(self._pem_data)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 299, in load_certificate

        return OpenSSL.crypto.load_certificate(OpenSSL.crypto.FILETYPE_PEM, pem_data)

        File "/usr/lib/python3.7/site-packages/OpenSSL/crypto.py", line 1825, in load_certificate

        _raise_current_error()

        File "/usr/lib/python3.7/site-packages/OpenSSL/_util.py", line 54, in exception_from_error_queue

        raise exception_type(errors)

      OpenSSL.crypto.Error: [('asn1 encoding routines', 'ASN1_CHECK_TLEN', 'wrong tag'), ('asn1 encoding routines', 'ASN1_ITEM_EX_D2I', 'nested asn1 error'), ('asn1 encoding routines', 'ASN1_TEMPLATE_NOEXP_D2I', 'nested asn1 error'), ('PEM routines', 'PEM_ASN1_read_bio', 'ASN1 lib')]

       

      During handling of the above exception, another exception occurred:

       

      Traceback (most recent call last):

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1583, in <module>

        sys.exit(main(sys.argv))

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1531, in main

        certificate_file = CertificateFile(input_files, fix=options.get('fix'))

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 632, in __init__

        self._parse_file(source_file)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 756, in _parse_file

        self._parse_buffer(f)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 713, in _parse_buffer

        section = Section(description, current_section, self._fixing)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 412, in __init__

        self._parse(fixing)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 474, in _parse

        cert_store = CertificateStore(self.pem_data)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 550, in __init__

        self._parse(pem_data)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 562, in _parse

        result = run_script([get_openssl_command(), 'pkcs7', '-print_certs'], stdin=pem_data)

        File "/usr/lib/vmware-casa/bin/vropsCertificateTool.py", line 1275, in run_script

        (process_stdout, process_stderr) = process_pipe.communicate(stdin)

        File "/usr/lib/python3.7/subprocess.py", line 964, in communicate

        stdout, stderr = self._communicate(input, endtime, timeout)

        File "/usr/lib/python3.7/subprocess.py", line 1695, in _communicate

        input_view = memoryview(self._input)

      TypeError: memoryview: a bytes-like object is required, not 'str'

       

      I think the file is uploaded and checked but then something goes wrong. I already checked the order of the certificates in the PEM file (Certificate, Private Key, CA Certificate).

        • 1. Re: Unable to replace SSL certificate
          jburen Hot Shot
          vExpert

          I searched for "nested asn1 error" and double-checked the certificate from my CA. The reason for the error was that I used a PKCS7 root CA certificate instead of a Base-64 encoded certificate. When you open both in Notepad they look the same but they are not... After replacing the CA certificate I was able to load the PEm file and replace the SSL certificate.