topic Re: SSL Certificate Error vCenter 8 in vCenter™ Server Discussions

SSL Certificate Error vCenter 8

AHMNco — Sun, 16 Oct 2022 22:27:18 GMT

Hi Everyone, the surprisingly new version of vCenter does not work with my current SSL from vCenter 7

here are the errors:

1. When trying to insert Sectigo 1yr (Error occurred while fetching tls: Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate)

2. When trying to insert Let's Encrypt (Error occurred while fetching tls: the trustAnchors parameter must be non-empty)

3. When trying to SSL.com 90-days (Error occurred while fetching tls: 0)

4. When trying to insert wildcard not work as well (Wildcard SSL working well with ESXi but not working with Center)

================

I tried to re-issue, I changed the SSL provider, I read every article, and none of them is working

since I was at vCenter 7 all of them except Let's Encrypt working fine

but now none of them working

please give me a solution, appreciate it

Best Regards

Re: SSL Certificate Error vCenter 8

chall32 — Tue, 18 Oct 2022 14:42:56 GMT

Confirmed. vCenter 8.0, I'm seeing same error:

Error occurred while fetching tls:0

when trying to replace machine certificate with certificate genrated using a CSR generated by vCenter itself.

Re: SSL Certificate Error vCenter 8

AHMNco — Sun, 23 Oct 2022 23:59:09 GMT

After thousand years nobody even replied, where are the VMware Experts????

Re: SSL Certificate Error vCenter 8

maksym007 — Tue, 25 Oct 2022 13:37:36 GMT

I will not be so original and will say to generate a new certificate and to check a certificate template for vCenter7

Highly possible that maybe changes are needed

Re: SSL Certificate Error vCenter 8

chall32 — Tue, 25 Oct 2022 13:46:22 GMT

The problem is not with the certificate, it is with the application of the newly generated certificate into vCenter 8.

Re: SSL Certificate Error vCenter 8

AHMNco — Wed, 26 Oct 2022 01:03:06 GMT

so where is the resolution?

where are the VMWare experts??

is nobody gonna come and answer this problem?

Re: SSL Certificate Error vCenter 8

lasersword — Wed, 26 Oct 2022 07:47:48 GMT

same problem!

Re: SSL Certificate Error vCenter 8

Tokiha — Wed, 26 Oct 2022 08:25:49 GMT

Same problem and Auto Gen Certificate is Sha256 with rsa:3084 and my certs with Sectigo Sha384 with rsa:8192

Re: SSL Certificate Error vCenter 8

tim427 — Wed, 26 Oct 2022 13:20:32 GMT

Same problem; tried "ecdsa-with-SHA256 + id-ecPublicKey (384 bit)" and "sha384WithRSAEncryption + rsaEncryption (2048 bit)", both without luck.

Default certificate is: "sha256WithRSAEncryption + rsaEncryption (2048 bit)"...

Re: SSL Certificate Error vCenter 8

AHMNco — Sun, 30 Oct 2022 01:26:30 GMT

It seems none of the VMWare Experts care about our problem!!!!!

Re: SSL Certificate Error vCenter 8

BrianCunnie — Fri, 04 Nov 2022 15:32:35 GMT

This is what I had to do to fix it for my Sectigo/Comodo certificate:

edit the .ca-bundle
replace the bad PEM with the good PEM (see attached files)

Longer story: the bad & good certificates have the same key (their RSA Modulus is the same) and the same CN ("USERTrust RSA Certification Authority"), so they can be interchanged, but the bad PEM has been cross-signed (issued) by the old, bad "AAA Certificate Services" (which is self-signed with the weak SHA1 algorithm). The good cert is self-signed with the strong SHA-384 algorithm.

If you feel uncomfortable downloading the cert from a forum (and you should feel uncomfortable), you can view the details of the good certificate here: https://crt.sh/?id=1199354

And you can download a copy of the PEM here: https://crt.sh/?d=1199354

Re: SSL Certificate Error vCenter 8

AHMNco — Mon, 31 Oct 2022 16:31:31 GMT

No, not working

Re: SSL Certificate Error vCenter 8

ASMITH_77 — Mon, 31 Oct 2022 17:17:50 GMT

I had similar issues and in my case it was due to the path to root certificated being incomplete. Also make sure that any cert in path is at least above sha 1 as version 8 rejects any sha 1 cert. Another approach i took was to delete all related trusted root certs to make sure there is no conflict's. That has t be done from CLI and a slight pain in ass.

Re: SSL Certificate Error vCenter 8

BrianCunnie — Thu, 03 Nov 2022 14:04:17 GMT

Hey @AHMNco :

FYI, I wrote a blog post describing how I was able to get past this error (use a different cert in the CA Bundle). You may want to skip to the Troubleshooting section.

Re: SSL Certificate Error vCenter 8

chall32 — Thu, 03 Nov 2022 16:06:41 GMT

OK good to see some have got it working using public certs. I'm still struggling to replace the machine cert with a cert generated by an internal CA.

acursory look through the logs in /var/log/vmware/certificatemanagement and /var/log/vmware/certificateauthority isn't providing much help either!

Re: SSL Certificate Error vCenter 8

chall32 — Thu, 03 Nov 2022 16:22:14 GMT

Found the error in /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log:

[2022-11-03T15:31:03.619Z] [ERROR] http-nio-5090-exec-4 com.vmware.vise.mvc.exception.GlobalExceptionHandler Exception handled while processing request for /ui/certificate-ui/ctrl/certificates/tls: com.vmware.vapi.std.errors.Error: Error (com.vmware.vapi.std.errors.error) => { messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => { id = com.vmware.certificatemanagement.error, defaultMessage = Exception found (0), args = [0], params = <null>, localized = <null> }], data = <null>, errorType = ERROR }

Full error attached.

Re: SSL Certificate Error vCenter 8

BAUERAG — Mon, 07 Nov 2022 17:17:04 GMT

Problem also exists when configuring vCenter login with OpenID Connect in Azure. To access login.microsoft.com, both CA certs from Digicert are needed, but "DigiCert Global Root CA" use "SHA-1 with RSA Encryption" signature algorithm. Importing fails, means also configuring OIDC fails.

It's not that VMware supports 100s of different IDPs. The only one is ADFS and using Microsofts cloud service isn't uncommon.

When checking login.microsoft.com with ssllabs.com, they wrote about the Root CA from Digicert: Weak or insecure signature, but no impact on root certificate

VMware, please fix it. Thanks.

Re: SSL Certificate Error vCenter 8

donaldsteele — Tue, 08 Nov 2022 17:24:08 GMT

Same issue here. Reverting back to vCenter 7....

Re: SSL Certificate Error vCenter 8

Anil0210 — Wed, 09 Nov 2022 16:43:52 GMT

vSphere 8.0 (vCenter Server and ESXi ) do not support certificate with weak signature algorithms, such as sha1WithRSAEncryption.

Just check if the certificate you are using is with weak signature algorithms. Check the below KB for more details.

https://kb.vmware.com/s/article/89424

Re: SSL Certificate Error vCenter 8

obsidianindy — Thu, 05 Jan 2023 00:37:26 GMT

Hey @BrianCunnie I followed your instructions from your blog post, even purchasing the exact certificate you purchased and attempted this with vCenter 8.

First, I created via

CN=vcenter-80.nono.io # "CN" is the abbreviation for "Common Name" openssl genrsa -out $CN.key 3072 openssl req \ -new \ -key $CN.key \ -out $CN.csr \ -sha256 \ -subj "/C=US/ST=California/L=San Francisco/O=nono.io/OU=homelab/CN=${CN}/emailAddress=brian.cunnie@gmail.com" \ -config <(cat <<EOF [ req ] distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = ${CN} EOF )

(obviously, I changed the values).

I then requested a certificate from SSls.com, and we purchased their least-expensive offering, the PositiveSSL 1 domain Comodo SSL.

(using the same disclaimer):

[We do not endorse either SSLs.com or Sectigo (formerly Comodo); We encourage you to use the reseller and the Certificate Authority (CA) with which you are most comfortable].

They then provided me with the two files. vcenter.domain.co.crt and vcenter_domain_co.ca-bundle

Then we followed the instructions from your blog post:

- On your vCenter, navigate to Menu → Administration → Certificates → Certificate Management
- On the __MACHINE_CERT tile, click Actions, select Import and Replace Certificate.
- Select Replace with external CA certificate(requires private key).
  - Machine SSL Certificate: click Browse File and select vcenter.domain.crt
  - Chain of trusted root certificates: click Browse File and select vcenter_domain_co.ca-bundle
  - Private Key: click Browse File and select vcenter_domain_co.ca-bundle
- Click Replace.
After doing this, vCenter reports: "Error occurred while fetching tls: Invalid input, not a valid PEM formatted Primary Key"

I've been beating my head all day with this. vCenter logs aren't much of a help. Did you have to do anything else, or am I just missing a step?