VMware Cloud Community
cdhunter
Enthusiast
Enthusiast
‎05-01-2014 08:34 AM

Certificate Automation Tool Issue

Hi,


I am experiencing issues when using the Automation Tool (ESXi 5.1 Update 1).

When following the step-by-step process:

1. Update the Single-Sign on SSL Certificate

Once this certificate is updated we find we can no longer log into the MOB. However, we continue onto the next steps regardless:

2.  Update Inventory Service trust to Single Sign-On

3.  Update the Inventory Service SSL Certficiate

4.  Update vCenter Server trust to Single Sign-On

Then at step 5 it fails:   Update the vCenter Server SSL Certificate

The errors are:     HTTP ERROR:  Unable to read or open Page

                          HTTP ERROR:  401 Basic Auth Error

We are 100% sure the password are correct (unless these are being changed by something else in this process?) and all of our certificates look ok.

0 Kudos
3 Replies
vNEX
Expert
Expert
‎05-01-2014 10:48 AM

Hi,

MOB should be enabled for SSL Tool to working see known issues in KB below:

VMware KB: Deploying and using the SSL Certificate Automation Tool 1.0.x

  • If the Managed Object Browser of the vCenter Server has been disabled per the VMWare vSphere Hardening Guide, this causes the vCenter Server SSL Certificate Update process to fail.

    While upgrading, the Automation Tool reports the error:

    [Tue 01/28/2014 - 11:07:13.83]: Validating the input parameters... 
    STATE : 4 RUNNING 
    HTTPError: Unable to open or read page. 
    HTTP Error 503: Service Unavailable 
    [Tue 01/28/2014 - 11:07:14.77]: "Cannot log in to vCenter." 
    [Tue 01/28/2014 - 11:07:14.78]: The vCenter certificate update failed.

    To resolve this issue, see vCenter Server Managed Object Browser (MOB) reports a 503 Service Unavailable error (2042554).

Regards,

P.

_________________________________________________________________________________________ If you found this or any other answer helpful, please consider to award points. (use Correct or Helpful buttons) Regards, P.
0 Kudos
sjmeyers
Contributor
Contributor
‎05-13-2014 11:02 PM

Hi,

I had exactly the same issue on 5.5.

I'm not exactly sure what the problem was but after I did below it worked fine...

Reverted to a snapshot I had taken on VC server after I had generated and modified the certs but before I had updated the certs.

Or you could roll back using Cert Tool?

Domain service account for VC server and SQL and the administrator@vsphere.local had exclamation marks in the passwords.

I changed passwords to remove this.

The domain service account was local admin on the VC server but I hadn't given permissions for this account in vCenter.

I added the domain service account as an Administrator under Single Sign On in the web client.

I added the domain service account as an Administrtor to the vCenter Server in the web client.

After that updating of all the certs ran smoothly.

Hope this helps?

Cheers,

Steve

vbalogh
Contributor
Contributor
‎07-07-2017 04:47 AM

@sjmeyers thanks this has solved my issue. To make it short, I've seen the same "HTTP Error 401: basic auth failed" error for any attempts to replace various certificates for the components, e.g.:

---------- C:\PROGRAMDATA\VMWARE\VMWARE VIRTUALCENTER\VPXD.CFG

[Wed 07/05/2017 - 15:41:58.90]: Validating the input parameters...

        STATE              : 4  RUNNING

HTTPError: Unable to open or read page.

HTTP Error 401: basic auth failed

[Wed 07/05/2017 - 15:42:27.08]: "Cannot log in to vCenter."

[Wed 07/05/2017 - 15:42:27.09]: The vCenter certificate update failed.

The solution was to add vsphere administrator rights for the local Windows user the vCenter service is running with.

0 Kudos