When you attempt to replace your VMware vCenter Server's (VCSA) machine SSL certificate, you must then restart your server's services for this new SSL certificate to be used.
However, it may happen that a problem occurs and you can no longer access the web interface of your VMware vCenter Server (VCSA).
Plain Text
[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server - An error occurred when processing the metadata during vCenter Single Sign-On setup - Failed to connect to VMware Lookup Service https://vcsa.informatiweb.lan:443/lookupservice/sdk - SSL certificate verification failed.
To resolve this problem, you will need to reset your server's machine SSL certificate to be able to re-access its web interface.
To do this, connect via SSH to your VCSA server as "root".
Access the BASH Linux shell:
Bash
shell
Then, use the VCSA certificate manager:
Bash
/usr/lib/vmware-vmca/bin/certificate-manager
In the certificate manager that appears, choose option 3 to replace the machine SSL certificate with a certificate that will be issued by the VMCA certification authority (which is trusted by default on your VMware vCenter Server (VCSA)).
Plain Text
Welcome to the vSphere 6.7 Certificate Manager ... 3. Replace Machine SSL certificate with VMCA Certificate ... Option[1 to 8]: 3
Provide a user name authorized to manage certificates on your VCSA server (default: administrator@vsphere.local).
Note: simply press Enter to use the default choice.
Then provide its password.
Plain Text
Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [Administrator@vsphere.local]: Enter password:
Leave all the default values, except the last 2:
Next, confirm the replacement of the machine SSL certificate by answering "y" to the question:
Plain Text
You are going to regenerate Machine SSL cert using VMCA. Continue operation : Option[Y/N] ? : y
Once the whole process is complete, you will see this at the end:
Plain Text
Updated 30 service(s). Status : 100% Completed [All tasks completed successfully]
Now, try to re-access the web interface of your VCSA server and a warning will appear regarding the SSL certificate used.
Ignore this warning.
Indeed, the warning that appears is "SEC_ERROR_UNKNOWN_ISSUER" and is due to the fact that the issuer of the SSL certificate used is unknown.
In this case, it is VMCA which is not a certification authority recognized by your computer, but only by your VCSA server.
Once the warning is ignored, you will have access to the "VMware vSphere" login page of your VCSA server.
Return to the menu and click: Administration -> Certificates -> Certificate Management.
On the "Certificate Management" page that is displayed, the certificate that was regenerated is the "__MACHINE_CERT" certificate (which protects access to the "VMware vSphere Client" web client).
As you can see, this "__MACHINE_CERT" certificate is again issued by "CA" (as is the case by default on VCSA).
If you look at the issuer information at the bottom of the page, you will see that it is issuer "CA" and the OU listed is "VMware Engineering". Which corresponds to the default information of the VMCA certification authority present on your VCSA server.
Select one of the hosts linked to your VMware vCenter Server (VCSA) and go to: Configure -> System -> Certificate.
As you can see, the certificate is:
If you try to access the web interface of one of your VMware ESXi hosts, you will see that a security warning appears regarding the SSL certificate used.
As usual with certificates generated by your VCSA server's VMCA certificate authority, a warning is displayed because the issuer of its certificate is unknown.
Which corresponds to the error code: SEC_ERROR_UNKNOWN_ISSUER.
If you click on the "View certificate" link, you will again see that:
Ignore the warning to access it.
As you might expect, your web browser will tell you that the connection is not secure since the certificate is from a certificate authority that it does not trust.
VMware 4/14/2023
VMware 9/23/2022
VMware 7/27/2022
VMware 5/30/2022
Pinned content
Contact
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.
No comment