VMware Aria Automation Tools

 View Only
  • 1.  vRealize Automation: WAPI - untrusted certificate chain

    Posted Oct 05, 2017 09:49 AM

    Dear Everyone,

    Im running into an issue with our vrealize automation install (v7.3).

    On a minimum install, we had to replace the certificate on the iaas server.

    After registering all the endpoints, everything worked except for the following:

    2017-10-05 09:17:00,265 vcac: [component="cafe:event-broker" priority="INFO" thread="ebs-queue-pool-executer-3" tenant="" context="" parent="" token=""] com.vmware.vcac.eventlog.auditing.saveEvent:90 - Exception thrown for IaaS endpoint: https://iaas1/WAPI/  - Error Message: java.security.cert.CertificateException: Untrusted certificate chain.

    I tried to register:

    c:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe>Vcac-Config.exe RegisterEndpoint --EndpointAddress https://iaas1/WAPI --Endpoint wapi -v

    even with a rebuild of the trust:

    (Incorrect vRealize Automation Component Service Registrations)

    Or add the chain certificates to the java keystore.

    But nothing seems to work.

    As automation is completely unusable right now, any help would be appreciated.

    PS. on the applience, all the services show registered except for:

    release-management

    com.vmware.csp.component.devops.release.management

    2017 Oct 5 11:15:15

    UNAVAILABLE

    But that was the case from the beginning. Further more, there are no more errors.

    Full Exception:

    2017-10-05 09:17:00,020 vcac: [component="cafe:iaas-proxy" priority="INFO" thread="tomcat-http--31" tenant="vsphere.local" contex

    t="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:51

    - Default SSL Certificate: 261966366051175164202210355019191434353

    2017-10-05 09:17:00,020 vcac: [component="cafe:iaas-proxy" priority="WARN" thread="tomcat-http--31" tenant="vsphere.local" contex

    t="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:61

    - Untrusted certificate chain:

    2017-10-05 09:17:00,020 vcac: [component="cafe:iaas-proxy" priority="WARN" thread="tomcat-http--31" tenant="vsphere.local" contex

    t="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:63

    - Untrusted certificate with serial number: [275575002430767747207576006487004385936] and thumbprint: [B0:95:0A:40:F6:85:F3:0F:D

    B:DD:D8:BE:85:F7:62:10:71:44:60:69]

    2017-10-05 09:17:00,021 vcac: [component="cafe:iaas-proxy" priority="WARN" thread="tomcat-http--31" tenant="vsphere.local" contex

    t="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:63

    - Untrusted certificate with serial number: [57397899145990363081023081275480378375] and thumbprint: [33:9C:DD:57:CF:D5:B1:41:16

    :9B:61:5F:F3:14:28:78:2D:1D:A6:39]

    2017-10-05 09:17:00,021 vcac: [component="cafe:iaas-proxy" priority="WARN" thread="tomcat-http--31" tenant="vsphere.local" contex

    t="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:63

    - Untrusted certificate with serial number: [52374340215108295845375962883522092578] and thumbprint: [F5:AD:0B:CC:1A:D5:6C:D1:50

    :72:5B:1C:86:6C:30:AD:92:EF:21:B0]

    2017-10-05 09:17:00,021 vcac: [component="cafe:iaas-proxy" priority="ERROR" thread="tomcat-http--31" tenant="vsphere.local" conte

    xt="FEzbf9fb" parent="FEzbf9fb" token="u9t8HGte"] com.vmware.vcac.iaas.gateway.impl.BaseGatewayImpl.mapIaasGatewayException:91 -

    Exception thrown for IaaS endpoint: https://iaas1/WAPI/ , message: java.security.cert.CertificateExceptio

    n: Untrusted certificate chain.

    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted certificate chain.

            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_131]

            at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[?:1.8.0_131]

            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[?:1.8.0_131]

            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_131]

            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514) ~[?:1.8.0_131]

            at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) ~[?:1.8.0_131]

            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026) ~[?:1.8.0_131]

            at sun.security.ssl.Handshaker.process_record(Handshaker.java:961) ~[?:1.8.0_131]

            at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_131]

            at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_131]

            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_131]

            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[?:1.8.0_131]

            at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394) ~[httpcli

    ent-4.5.2.jar:4.5.2]



  • 2.  RE: vRealize Automation: WAPI - untrusted certificate chain

    Posted Oct 06, 2017 03:21 PM

    Try to replace the cert through the VAMI. As long as the management agent is checking in, you should be able to do so, and it'll reestablish the chain of trust. If it's still not working, describe the certificate type you're attempting to use.



  • 3.  RE: vRealize Automation: WAPI - untrusted certificate chain

    Posted Jan 23, 2018 04:56 PM

    Were you able to figure this out? I have the same issue.



  • 4.  RE: vRealize Automation: WAPI - untrusted certificate chain

    Posted Jan 24, 2018 03:51 AM

    you need the complete cert chain, in the following order

    1. cert

    2. intermediate

    3. root