VMware vSphere

 View Only

  • 1.  Certificate Automation Tool Issue

    Posted May 01, 2014 03:34 PM

    Hi,


    I am experiencing issues when using the Automation Tool (ESXi 5.1 Update 1).

    When following the step-by-step process:

    1. Update the Single-Sign on SSL Certificate

    Once this certificate is updated we find we can no longer log into the MOB. However, we continue onto the next steps regardless:

    2.  Update Inventory Service trust to Single Sign-On

    3.  Update the Inventory Service SSL Certficiate

    4.  Update vCenter Server trust to Single Sign-On

    Then at step 5 it fails:   Update the vCenter Server SSL Certificate

    The errors are:     HTTP ERROR:  Unable to read or open Page

                              HTTP ERROR:  401 Basic Auth Error

    We are 100% sure the password are correct (unless these are being changed by something else in this process?) and all of our certificates look ok.



  • 2.  RE: Certificate Automation Tool Issue

    Posted May 01, 2014 05:48 PM

    Hi,

    MOB should be enabled for SSL Tool to working see known issues in KB below:

    VMware KB: Deploying and using the SSL Certificate Automation Tool 1.0.x

    • If the Managed Object Browser of the vCenter Server has been disabled per the VMWare vSphere Hardening Guide, this causes the vCenter Server SSL Certificate Update process to fail.

      While upgrading, the Automation Tool reports the error:

      [Tue 01/28/2014 - 11:07:13.83]: Validating the input parameters... 
      STATE : 4 RUNNING 
      HTTPError: Unable to open or read page. 
      HTTP Error 503: Service Unavailable 
      [Tue 01/28/2014 - 11:07:14.77]: "Cannot log in to vCenter." 
      [Tue 01/28/2014 - 11:07:14.78]: The vCenter certificate update failed.

      To resolve this issue, see vCenter Server Managed Object Browser (MOB) reports a 503 Service Unavailable error (2042554).

    Regards,

    P.



  • 3.  RE: Certificate Automation Tool Issue

    Posted May 14, 2014 06:02 AM

    Hi,

    I had exactly the same issue on 5.5.

    I'm not exactly sure what the problem was but after I did below it worked fine...

    Reverted to a snapshot I had taken on VC server after I had generated and modified the certs but before I had updated the certs.

    Or you could roll back using Cert Tool?

    Domain service account for VC server and SQL and the administrator@vsphere.local had exclamation marks in the passwords.

    I changed passwords to remove this.

    The domain service account was local admin on the VC server but I hadn't given permissions for this account in vCenter.

    I added the domain service account as an Administrator under Single Sign On in the web client.

    I added the domain service account as an Administrtor to the vCenter Server in the web client.

    After that updating of all the certs ran smoothly.

    Hope this helps?

    Cheers,

    Steve



  • 4.  RE: Certificate Automation Tool Issue

    Posted Jul 07, 2017 11:48 AM

    @sjmeyers thanks this has solved my issue. To make it short, I've seen the same "HTTP Error 401: basic auth failed" error for any attempts to replace various certificates for the components, e.g.:

    ---------- C:\PROGRAMDATA\VMWARE\VMWARE VIRTUALCENTER\VPXD.CFG

    [Wed 07/05/2017 - 15:41:58.90]: Validating the input parameters...

            STATE              : 4  RUNNING

    HTTPError: Unable to open or read page.

    HTTP Error 401: basic auth failed

    [Wed 07/05/2017 - 15:42:27.08]: "Cannot log in to vCenter."

    [Wed 07/05/2017 - 15:42:27.09]: The vCenter certificate update failed.

    The solution was to add vsphere administrator rights for the local Windows user the vCenter service is running with.