Secure access to VMware vCenter Server (VCSA) over HTTPS on VMware vSphere 6.7
- VMware
- VMware vCenter Server (VCSA), VMware vSphere
- 25 October 2024 at 11:03 UTC
-
- 6/7
13. Reset the machine SSL certificate (in case of problem)
When you attempt to replace your VMware vCenter Server's (VCSA) machine SSL certificate, you must then restart your server's services for this new SSL certificate to be used.
However, it may happen that a problem occurs and you can no longer access the web interface of your VMware vCenter Server (VCSA).
Plain Text
[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server - An error occurred when processing the metadata during vCenter Single Sign-On setup - Failed to connect to VMware Lookup Service https://vcsa.informatiweb.lan:443/lookupservice/sdk - SSL certificate verification failed.
To resolve this problem, you will need to reset your server's machine SSL certificate to be able to re-access its web interface.
To do this, connect via SSH to your VCSA server as "root".
Access the BASH Linux shell:
Bash
shell
Then, use the VCSA certificate manager:
Bash
/usr/lib/vmware-vmca/bin/certificate-manager
In the certificate manager that appears, choose option 3 to replace the machine SSL certificate with a certificate that will be issued by the VMCA certification authority (which is trusted by default on your VMware vCenter Server (VCSA)).
Plain Text
Welcome to the vSphere 6.7 Certificate Manager ... 3. Replace Machine SSL certificate with VMCA Certificate ... Option[1 to 8]: 3
Provide a user name authorized to manage certificates on your VCSA server (default: administrator@vsphere.local).
Note: simply press Enter to use the default choice.
Then provide its password.
Plain Text
Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [Administrator@vsphere.local]: Enter password:
Leave all the default values, except the last 2:
- Hostname: provide the fully qualified domain name of your VCSA server so that the certificate is valid for it.
- VMCA name: CA. the name "CA" being the name used by default by the "VMCA" certification authority under VCSA.
Next, confirm the replacement of the machine SSL certificate by answering "y" to the question:
Plain Text
You are going to regenerate Machine SSL cert using VMCA. Continue operation : Option[Y/N] ? : y
Once the whole process is complete, you will see this at the end:
Plain Text
Updated 30 service(s). Status : 100% Completed [All tasks completed successfully]
Now, try to re-access the web interface of your VCSA server and a warning will appear regarding the SSL certificate used.
Ignore this warning.
Indeed, the warning that appears is "SEC_ERROR_UNKNOWN_ISSUER" and is due to the fact that the issuer of the SSL certificate used is unknown.
In this case, it is VMCA which is not a certification authority recognized by your computer, but only by your VCSA server.
Once the warning is ignored, you will have access to the "VMware vSphere" login page of your VCSA server.
Return to the menu and click: Administration -> Certificates -> Certificate Management.
On the "Certificate Management" page that is displayed, the certificate that was regenerated is the "__MACHINE_CERT" certificate (which protects access to the "VMware vSphere Client" web client).
As you can see, this "__MACHINE_CERT" certificate is again issued by "CA" (as is the case by default on VCSA).
If you look at the issuer information at the bottom of the page, you will see that it is issuer "CA" and the OU listed is "VMware Engineering". Which corresponds to the default information of the VMCA certification authority present on your VCSA server.
14. VMware ESXi host SSL certificates considered invalid
Select one of the hosts linked to your VMware vCenter Server (VCSA) and go to: Configure -> System -> Certificate.
As you can see, the certificate is:
- valid for the domain name of your VMware ESXi host since it is specified as the common name (CN) in the SSL certificate used.
In our case: CN=esxi1.informatiweb.lan. - issued by the VMCA certification authority of your VCSA server. For your VCSA server, the certificate used is therefore considered valid given that it comes from the VMCA authority which it trusts by default.
Which you can easily verify by seeing that the issuer's Organizational Unit (OU), Organization (O), and Common Name (CN) match your VMCA CA information.
Which you can also see in the previous image.
If you try to access the web interface of one of your VMware ESXi hosts, you will see that a security warning appears regarding the SSL certificate used.
As usual with certificates generated by your VCSA server's VMCA certificate authority, a warning is displayed because the issuer of its certificate is unknown.
Which corresponds to the error code: SEC_ERROR_UNKNOWN_ISSUER.
If you click on the "View certificate" link, you will again see that:
- This certificate is valid is for the FQDN of your VMware ESXi host.
Indeed, in our case, the common name indicated is: esxi1.informatiweb.lan - This certificate was issued by the VMCA certification authority.
Hence the common name which is: CA vsphere local.
Ignore the warning to access it.
As you might expect, your web browser will tell you that the connection is not secure since the certificate is from a certificate authority that it does not trust.
Share this tutorial
To see also
-
VMware 5/12/2023
VMware ESXi 6.7 - Network Attached Storage (NAS)
-
VMware 5/31/2024
VMware vSphere 6.7 - Export and import VMs via VMware OVF Tool
-
VMware 7/5/2024
VMware vSphere 6.7 - Hot add resources (vCPU/RAM) to VMs
-
VMware 11/29/2024
VMware vSphere 6.7 - Migrate VMs via vMotion (cross vCenter)
No comment