vCenter

HI

I have a "VCENTER" which updates from 6.0U3 to 6.5U1, all right, now I need to outsource the PSC to a new one which is already connected to an SSO domain, I fulfill the requirement that it be the same domain "vsphere.local" and the same SITE, the problem is that it does not try to do anything since there is a problem with the certificate which I could not resolve.

root@vcenter [ ~ ]# cmsso-util reconfigure --repoint-psc psc-01.example.com --username Administrator --domain-name vsphere.local --passwd "example"

Validating Provided Configuration ...

Falied to open connection https://psc01.example.com:443/websso/ Error: <urlopen error [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661)>

Disign:

Error when i try a openssl , in mi other vcenter i try the same and work fine

root@vcenter [ /usr/lib/vmware-vmafd/bin ]# openssl s_client -connect psc-01.example.com:443

CONNECTED(00000003)

depth=0 CN = psc-01.example.com, C = US

verify error:num=20:unable to get local issuer certificate

verify return:1

depth=0 CN = psc-01.example.com, C = US

verify error:num=21:unable to verify the first certificate

verify return:1

---

Certificate chain

0 s:/CN=psc-01.example.com/C=US

   i:/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc-01.example.com/OU=VMware Engineering

---

Server certificate

-----BEGIN CERTIFICATE-----

MIID2TCCAsGgAwIBAgIJAMHHZhUAmSR6MA0GCSqGSIb3DQEBCwUAMIGlMQswCQYD

VQQDDAJDQTEXMBUGCgmSJomT8ixkARkWB3ZzcGhlcmUxFTATBgoJkiaJk/IsZAEZ

FgVsb2NhbDELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExJzAlBgNV

BAoMHnZjYXBwcHJkcHNjLmN5dC5jb25jaGF5dG9yby5jbDEbMBkGA1UECwwSVk13

YXJlIEVuZ2luZWVyaW5nMB4XDTE3MTIwMTE3NTExMVoXDTI3MTEyNjE3NTExMVow

NjEnMCUGA1UEAwwedmNhcHBwcmRwc2MuY3l0LmNvbmNoYXl0b3JvLmNsMQswCQYD

VQQGEwJVUzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJseMJySBSCx

+9cHt0MG27OaA0oLZ8GN/Yn3Mr0MyfIzrgL3wo7DGww3kRvD+k1g2TVHYi8fojY7

rdMkr/IrmgcY+9VxaNVBWub5A2aVZgffbRYpOprFRs8aKSlb6ltbsJ7u5beHAz0A

wFBdXs3ei8hJhUcD8tO0Y49zOhrXxGncVjeSmsIMo4yz/9DSWM/Cp7GXnaNyRUe7

xFsU/cz5O7eH0jJMYUVziLaQqeN5SEFLFi931PV7mA+LnIxJ6i5iTSw8aK5YmgMr

6BqhtAlAABe9x8KAzgvJL9TcZR6DN/96RKL/c6VRWD9wjUi9qJ/7XSi6YLHLjTjV

uNRzuxeBpbECAwEAAaN6MHgwCwYDVR0PBAQDAgOoMCkGA1UdEQQiMCCCHnZjYXBw

cHJkcHNjLmN5dC5jb25jaGF5dG9yby5jbDAdBgNVHQ4EFgQU2KrlhwvzB9dNIbFB

HV8vka4ZEoQwHwYDVR0jBBgwFoAUKDE+vN0gyUrVW6utKc7t/bHFvP0wDQYJKoZI

hvcNAQELBQADggEBAC+gNpaPWFNAXc3boyhziJX4zd9YCJTVddilrRzCaJ4Kgr8s

kR9mKP5c1fDzZKsdEWVIKfoAyTcVgVwW5uYQbqngaJglSD8jsYwbVDEkQyQQ15tx

VHKRXKcB4ujB8MF48D/R7syRAjojqV8kJk/TOnzLTSO7atiH2VcL0jJAgY9G//pO

dTN3fjd1BOSw9BjknCeCfiOFBxTALWYM0fMzvxx3mlkMyowFntzF4bhQo/kS0QiK

MStDpT/RLIUfh0MHwPzrhl1saumpvDy06LFO5C4B/ms3VfDr4pJuICdfQxvFU23E

dMngxvcuYsJxflwvkcEbyxuSvNywicGxY0stZnY=

-----END CERTIFICATE-----

subject=/CN=psc-01.example.com/C=US

issuer=/CN=CA/DC=vsphere/DC=local/C=US/ST=California/O=psc-01.example.com/OU=VMware Engineering

---

No client certificate CA names sent

Peer signing digest: SHA512

Server Temp Key: ECDH, P-256, 256 bits

---

SSL handshake has read 1469 bytes and written 433 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID:

    Session-ID-ctx:

    Master-Key: B1BCCCAA8CF4244D1F84A751EF621AFF07730276988A6033DBF828D8B0C9F441A39B1FA64F8059E545BE0179918EA0B4

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1512420236

    Timeout   : 300 (sec)

    Verify return code: 21 (unable to verify the first certificate)

I found the solution.

The problem happens that the update to 6.5U1 does not copy the new certifying entities in the /etc/ssl/certs location, compares the number of certificates with a new 6.5U1 vicenter and 12 certificates were missing, this I guess is a BUG of the upgrade.

After copying the remaining certificates the problem disappeared.

:smileyhappy::smileyhappy::smileyhappy::smileyhappy::smileyhappy:

these are the lost certificates

/etc/ssl/certs/5e03e64c.0

/etc/ssl/certs/5e03e64c.r0

/etc/ssl/certs/6bfe6153.0

/etc/ssl/certs/6bfe6153.r0

/etc/ssl/certs/7d801d2d.0

/etc/ssl/certs/7d801d2d.r0

/etc/ssl/certs/c5214e96.0

/etc/ssl/certs/c5214e96.r0

/etc/ssl/certs/dfda8db2.0

/etc/ssl/certs/dfda8db2.r0

/etc/ssl/certs/e65bea3e.0

/etc/ssl/certs/e65bea3e.r0

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID:

    Session-ID-ctx:

    Master-Key: 41DE589E24BD87140C47DD97DB1233BF770D5EE636594F5AD26C24D38F295D7A8683CBB797D6F5CE9AFBBF8A21C93A6C

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1512564521

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

Hi dcisternas

I've got the same exact problem, forgive me for being a bit slow. I can see that you copied the missing certs to "/etc/ssl/certs/" (1) Where did you copy them from i.e the Ext PSC or vCenter? and from which folder? (2) Where did you copy them to i.e Ext PSC or vCenter?

Many thanks in advance

I'm in the same boat.

Do you have a walk through of what you did to fix it?  My vCenter died, so I redeployed a new vCenter with the same name, which had issues within the PSC because it was the same name.

I deployed a new PSC with the same sso domain, but when trying to use cmsso-util repoint returns the same error as yours.  Looking at the certs in /etc/ssl/certs dirs on both the vcsa & psc, there are a ton of them in there.

Thoughts?