VMware vSphere

 View Only
  • 1.  How to install vCenter Server root certificates on Ubuntu

    Posted Aug 17, 2020 10:55 PM

    I am using Ubuntu GUI and Chrome browser to connect to vCenter.

    I see the error that my connection may not be private:

    Your connection is not private

    Attackers might be trying to steal your information from 192.168.2.123 (for example, passwords, messages or credit cards). Learn more

    NET::ERR_CERT_AUTHORITY_INVALID

    This article has no instructions on how to install certificates on Linux machines: VMware Knowledge Base
    I downloaded the vCenter certificates to Ubuntu.
    First I tried to move the certificate "dbad4059.0.crt" from window folder to

    usr/local/share/ca-certificates/ and run the command: sudo update-ca-certificates

    it did not work.

    After I moved, the certificate from lin folder to usr/local/share/ca-certificates/ and run the command: sudo update-ca-certificates

    Also with no success.

    Please advice me what should I do to install vCenter certificates on Ubuntu machine.

    Thank you.



  • 2.  RE: How to install vCenter Server root certificates on Ubuntu

    Posted Aug 18, 2020 06:05 AM

    Hey eksip2,

    Try this: https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate (It is similar on how you did it but also have some additional steps)

    And check in this file if the path has been reflected: /etc/ca-certificates.conf



  • 3.  RE: How to install vCenter Server root certificates on Ubuntu

    Posted Aug 22, 2020 12:19 PM

    Thank you Laregre

    I tried the link but it did not work. I tried on my local ubuntu, and on virtual ubuntu server (were I installed GU)

    Here are the commands I run on

    https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

    root@lab1:/home/lab1/Downloads/download/certs/win# ls

    dbad4059.0.crt  dbad4059.r0.crl

    root@lab1:/home/lab1/Downloads/download/certs/win# cp dbad4059.0.crt /usr/share/ca-certificates/extra/

    root@lab1:/home/lab1/Downloads/download/certs/win# cd /usr/share/ca-certificates/extra

    root@lab1:/usr/share/ca-certificates/extra# ls

    dbad4059.0.crt

    root@lab1:/usr/share/ca-certificates/extra# sudo dpkg-reconfigure ca-certificates

    Updating certificates in /etc/ssl/certs...

    1 added, 0 removed; done.

    Processing triggers for ca-certificates (20190110ubuntu1.1) ...

    Updating certificates in /etc/ssl/certs...

    0 added, 0 removed; done.

    Running hooks in /etc/ca-certificates/update.d...

    done.

    root@lab1:/usr/share/ca-certificates/extra# update-ca-certificates

    Updating certificates in /etc/ssl/certs...

    0 added, 0 removed; done.

    Running hooks in /etc/ca-certificates/update.d...

    done.

    root@lab1:/usr/share/ca-certificates/extra#

    root@lab1:/usr/share/ca-certificates/extra# less /etc/ca-certificates.conf

    la/VeriSign_Universal_Root_Certification_Authority.crt

    mozilla/Verisign_Class_3_Public_Primary_Certification_Authority_-_G3.crt

    mozilla/XRamp_Global_CA_Root.crt

    mozilla/certSIGN_ROOT_CA.crt

    mozilla/ePKI_Root_Certification_Authority.crt

    mozilla/thawte_Primary_Root_CA.crt

    mozilla/thawte_Primary_Root_CA_-_G2.crt

    mozilla/thawte_Primary_Root_CA_-_G3.crt

    extra/dbad4059.0.crt   #this line indicates thatvCenter certificate was added to ca-certificates.conf

    as it was mention here https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

    #this is a lab envirnomen and this is how the certificate looks like

    oot@lab1:/usr/share/ca-certificates/extra# cat dbad4059.0.crt

    -----BEGIN CERTIFICATE-----

    MIIECzCCAvOgAwIBAgIJAOVFQJ3o+FTMMA0GCSqGSIb3DQEBCwUAMIGQMQswCQYD

    VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ

    FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNV

    BAoMCWxvY2FsaG9zdDEbMBkGA1UECwwSVk13YXJlIEVuZ2luZWVyaW5nMB4XDTIw

    MDcyMDEzNDAyM1oXDTMwMDcxODEzNDAyM1owgZAxCzAJBgNVBAMMAkNBMRcwFQYK

    CZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkWBWxvY2FsMQswCQYD

    VQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTESMBAGA1UECgwJbG9jYWxob3N0

    MRswGQYDVQQLDBJWTXdhcmUgRW5naW5lZXJpbmcwggEiMA0GCSqGSIb3DQEBAQUA

    A4IBDwAwggEKAoIBAQC/QkcJNHMxKlUr2EJRZx42YsISn8L7FssxFS2f6ppjTvt8

    i4kDdLKbBQN2SbSX8FeBYneRyLMOlnZO0Hqp0qXFS6rKkjyebJSoL4Be+sPBam2M

    vFmlANwfYwUWKk/hnpn5QB0scbZEJrIodAc2JRNMjJC1WUwD62OnbwNllkv4CdGl

    uIJiQbk9BOFpbbvb/vJDyFgJbSB2DlX3iKJ3D9Kq7YBtIyG+iWd3CH5ST6Ae4AOL

    25dIzT7XVVehkfm8gRbUslRQd+8o0JM3anh4GOuzMs5NbcH6VDRKDnZbKCoNU546

    Hkg578mo3jtyNWS7OqyBPQT0RUyRgDSpaB/9lBMJAgMBAAGjZjBkMB0GA1UdDgQW

    BBQMYccCS2z3eMRfSqqatMGmcVL8SjAfBgNVHREEGDAWgQ5lbWFpbEBhY21lLmNv

    bYcEfwAAATAOBgNVHQ8BAf8EBAMCAQYwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkq

    hkiG9w0BAQsFAAOCAQEAs88XR2vKfX41m3sstxY6xaovMHOj7A1bTtbjVGKe0iBa

    AoCx4QZRMMjYf+JHXovpoDEFypexSetViYB31zT/5I/8nLDFvKrZ4fkOUQqZqrPU

    g3JET29uOlR+wLQ6eodEgNGO4lReSrNWxETNr3bCtWEqwUO29dlSkceMO7xsMWqY

    SHPlfM99AM7EUukK7Jwv1mqsSGkg/EnDwwbPxqRn8JktUPHdHCheKBbq2AGAf7WS

    1vQO5DN9eDzBAFxOr20KkbTf6a1wG2DkM4lFs9PC56mAnYRGAP+AbWkn/yABmaBX

    QHhHSJE6XR98dVQFxrHNZKeYrm5ssx7Quw81/RJMEg==

    -----END CERTIFICATE-----

    root@lab1:/usr/share/ca-certificates/extra# less /etc/ca-certificates.conf



  • 4.  RE: How to install vCenter Server root certificates on Ubuntu

    Posted Aug 22, 2020 01:20 PM

    Hey eksip2​,

    I would like to know something. Is this certificate a self-signed one or a custom CA one. From the download.zip you only get two files or more than those?

    Also assuming for your extract you are using Firefox for browsing vCenter Server. There is a known issue regarding using this browser than can be fixed following this procedure: https://ivobeerens.nl/2018/02/13/firefox-not-trusts-vcenter-ca-signed-certificates/

    Let us knot how it goes!



  • 5.  RE: How to install vCenter Server root certificates on Ubuntu

    Posted Aug 24, 2020 08:25 AM

    Hello Lalegre,

    Thank you for your reply. I was able to install vCenter certificates on Firefox and in Firefox the connections is shown as secure now.

    Now I am trying to install vCenter certificates on Ubuntu to fix the security warning on Chrome as well.

    Your question: I would like to know something. Is this certificate a self-signed one or a custom CA one?

    I did not add any additional ssl certificates to vCenter. I am using certificates which can be exported from vCenter by default.

    download.zip files has two files in each folder (win, lin, mac)

    Thanks for your help.



  • 6.  RE: How to install vCenter Server root certificates on Ubuntu

    Posted Aug 24, 2020 08:38 AM

    Hello eksip2​,

    Quick question, does your self-signed certificate from vCenter contains the FQDN in the Subject Alternative Name? If it does not contain it will not be trusted by Chrome. This validation was applied on the Chrome version 58.

    If you get the next error during the cert validation on Chrome then that is your issue: NET::ERR_CERT_COMMON_NAME_INVALID

    Of course you can bypass the validations of SSL but this will be applied at browser level and you should not do that because it will be applied to all the sites.

    If you really want that i would recommend you to generate a new SSL Certificate (Custom or Self-Signed) but adding the SAN to it.