VMware vSphere

Hi All,

I hope someone may be able to help with a few issues I have with replacing the default SSL on a vCenter 5 u1 server.

I had one of my colleagues generate an SSL certificate using IIS7, we then processed the CSR with Thawte, and we purchased an SS123 cert from Thawte which is just a domain validation SSL.

We exported the SSL with the private key into a PFX format; I used OpenSSL to obtain the rui.key and rui.crt and copied them along with the rui.pfx to the necessary locations on the vCenter server. I followed all the steps documented http://pubs.vmware.com/vsphere-50/topic/com.vmware.vsphere.solutions.doc_50/GUID-37AAEDFE-EF2E-45FC-B0C6-44841E4FB302.html and other sites like WoodITwork.com

After completing all the steps, I browse the vCenter URL https://vc_url.com and I still get a certificate warning, I check the certificate from browser and can see the SSL has been installed but I get the error “This certificate cannot be verified up to a trusted certification authority”

I then login to vCenter via the vSphere client and gets a certificate warning, strange warning:

vc.voclients.local is actually the local domain FQDN of the vCenter. The error received is that its untrusted and it also states that The certificate received from “vc.voclients.local” was issued for “” which as you can see from that attachment is blank.

I used the online Thawte SSL Checker, the status stated invalid chain with the following error: “The intermediate CA certificates cannot be found for the following certificate chain.”

I have another concern and I’m not sure if this has ever been brought up before but the documentation states to use the password on the PFX file of “testpassword” now if one were to gain unauthorised access to a vCenter server they could steal the PFX and knowing the password.

Just as a side note I successfully got the SSL to work a few years ago on vCenter 2.5 using the same method, I really wish VMware provided a tool to perform such SSL tasks, it has become very complicated now with having to change 3 or 4 different places. I have attached some images of the errors which may shed some light on the issue.

Any suggestions are welcomed

Hi,

I don't see how this is a vCenter problem. Everything tells you the certificate is broken. I would suggest to recreate it.

Regards

Thanks for the suggestion, that did cross my mind, however the certificate worked fine on IIS, I have now sent through a request to Thawte to revoke the certificate. I think I will now generate the CSR using OpenSSL hopefully that helps.

What I would like to know is has someone successfully replaced the vCenter 5 SSL with one of a pubic SSL purchased from a CA? If So do mind sharing your success and where and what type of SSL you purchased. And I mentioned earlier I purchase a Thawte DV SSL certificate which is only domain validation only, I understand Thawte recently updated all their ROOT CAs, I did by the way update it on the server but still no success.

How can the certificate work fine in IIS if it fails the Thawte certificate check? Strange :smileywink:

My vCenter 5 runs with a DV SSL certificate as well. Since I work for an university we get our certificates signed by the german research network with the german telekom as CA. Worked fine with the documentation you mentioned in your first post.

Regards

Hi Tim, we generated the CSR from a different Windows 2008 server, we installed the SSL and tested it on that server, it seemed to be working fine, although I didn't check it with the SSL checker so not 100% sure, we then exported that into a PFX for the vCenter server and haven't had much success. Do you mind sharing with me how you generated the CSR for your Thawte DV SSL? Thanks for your comments.

Sent from my iPhone

Hi,

I used openssl on a linux server to generate them. Like "openssl req -newkey rsa:2048 -out cert.pem -keyout sec-key.pem -sub '/C=DE/O=......'

Regards

Thanks Tim, appreciate your help.

Sent from my iPhone

Hi Tim, Sorry to bother you, but I have been unsuccessful at replacing my certificate, I have follwoed all the step and and strangely enought my certificate appears just fine and fully trusted with the entire chain if go to https://<myvcenter>:8443 which is the default Tomcat page, so I know the SSL is ok and working, just vCenter doesn't load the chain. Anyway you say you have succesfully replaced your with a Thawte DV SSL on vCenter 5, I have an open SR with VMware they cannot work it out either. I have seen a lot of documentation saying the the opnssl.cnf or cfg file needs to be modified. I would like to know did you need to do this to get your SSL to work?

Hi Nicholas,

you missunderstood me. I didn't use a Thawte certificate. My ceritificates are signed with the German Telekom Root CA 2. But it also just verifies the domain name only, like your cert.

I didn't modify the openssl.cnf since I gave all needed parameters to the program on the command line. If you call openssl without those options, the openssl.cnf is used.

After my certificate request was signed I created the rui.crt, rui.key and rui.pfx out of the .pem certificate and key I got and copied it to C:\ProgramData\VMware\VMware VirtualCenter.

Then I went to http://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server and clicked "reloadSslCertificat"e and then "invoke Method" on the popup. After restarting the VMware vCenter Management Webservices, my new certificate was shown when going to https://vcenter-FQDN

Regards,

Tim

Hi Tim,

Thanks for the fast response, I ran the following to generate the CSR

openssl req -new -newkey rsa:2048 -nodes -keyout rui.key -out rui.csr -nodes

After receiving the signed certificate I ran the following command

openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile CACert.crt -name rui -passout pass:testpassword -out rui.pfx

May I ask when you created the PFX file using the command above, did you need to inlcude Intermediate certificate using the -certfile switch in your command?

I beleive this is required, if you need to update the Intermediate certificate chain.

Nicholas wrote:

I ran the following to generate the CSR

openssl req -new -newkey rsa:2048 -nodes -keyout rui.key -out rui.csr -nodes

So you must have configured your req-section in the openssl.cnf, right? Otherwise the certificate wouldn't have a CommonName.

Im almost sure i didn't use the -certfile switch when creating the pfx. Did it months ago and my documentation somethings sucks, so not 100% sure :smileywink:

Regards

Hi Tim,

Still no joy for me, I actually researched this issue and it turns out there are others out there experiencing the same issue, vCenter just does not load the entire certificate chain for commercial SSL certificates, however the Tomcat Web UI on port 8443 does load the certificate chain correctly, therefore fully trusting the SSL providing you inserted the Intermediate CA into the PFX file. Clients would have to pre-trust the certificate to avoid the certificate error. thus defeating the purpose or replacing it with a commercially signed SSL. I also have a VMware SR open, they have replicated the issue in their lab, so now VMware support acknowledge that there is an issue with it as well.

I know you did this while ago but are you certain you and or the clients haven't pre-trusted the SSL you installed? If you vCenter is open to the public you can try an SSL checker like https://ssl-tools.verisign.com just type in  <Your VC URL> to make sure there are not any SSL chain errors.

You see I think the issue hasn't blown out because most people probable generate self-signed and then have clients pre-trusting the SSL, If you read this you will see VMware recommend commercially signed SSL's http://www.vmware.com/files/pdf/techpaper//vsp_41_vcserver_certificates.pdf

Page 2 - "Certificates signed by a commercial certificate authority, such as Entrust or Verisign, are pre‐trusted on the

Windows operating system."

Page 6 - "VMware recommends that you replace default certificates with those signed by a commercial certificate

authority."

Anyway thanks again for your time.

Hi Nicholas,

just wanted to say that we have the same issue here. We use a wildcard certificate by Alphassl (Globalsign) and the chain is complete when you open the URL to vcenter in the browser (Port 443 and 8443), the chain is not complete when you open the vsphere client.

I tried different things (crt, intermediate-crt and root-crt in one file, adding intermediate to certificate store with mmc on server) and the pfx was created with the intermediate-crt included (I think the pfx certificate is used when you open vsphere client?).

Is this a confirmed issue with VMware? I suppose you might run into problems when upgrading to view 5.1 since the documentation says you must use a trusted certificate.

Hi  nicholas1982,

Could you share the SR# as I'm having the same trouble and it would be good if I can reference an existing SR# when I talk to VMware about my issue using a Thawte cert.

Thanks

If others are running into this problem and you submit a support request with vmware you can reference the service request number I have open with them about this issue.  It is 12189702006.  Perhaps if they get more service requests they will work on fixing this issue more quickly.

OK guys, VMware have acknowledge that it is a bug in this version of vCenter, they tell me it will be be fixed in the next release. Although I do agree if they get more requests to fix this they may respond faster. Please keep us all informed, I would like to hear of the outcome.

Hi Nicholas,

Could you please post the SR number?  Right now I can't get the support people to even acknowledge there is a problem or bug in vCenter and they keep on running me around asking questions about how the certificate was made and such.  Even though the screenshots showing the issue between what is presented correctly by tomcat and what vCenter isn't doing clearly shows the problem.  So, if I could reference another SR that would really help.

Hi All,

Since VMware support struggle to communicate these serous issues amongst themselves here is the SR.

SR #12173818605

Good luck to everyone perusing this, it took me about 10 hours on the phone to VMware support to finally get them to acknowledge there was a bug, I do have an email from them advising their development team had the same issue and that it will be fixed in the next release.

I am also having this issue.

Do you know if VMware have fixed this in their 5.0 U1b release?

Thanks