VMware SSL Certificate Automation Tool: “Cannot determine if Inventory Service is registered with Single Sign-On”

An issue I have encountered recently that I thought I would share, is an error when using a combination of the brilliant SSL Toolkit by @DerekSeamen and the VMware SSL Certificate Automation Tool.

All certificates had been generated absolutely perfectly by Derek’s toolkit. After proceeding with the SSL Certificate Automation Toolkit, the SSO certificate update appeared to work without an issue. However, when the Inventory service came to be updated, the error that appeared was as follows:

Troubleshooting steps included:

1)      Checking all certificates to ensure no errors.

2)      Tested log in credentials for administrator account.

3)      Re-generating certificates and retrying.

4)      Digging out the scripts from the Automation tool and running them manually.

At this stage during the troubleshooting, I noticed that at the command prompt we were seeing errors and a partial password being entered into the batch file as it was running.

It transpired that the problem was because of our SSO administrator@vsphere.local password!! It seems that having a password that contains the “ = “ character is not great for using the VMware SSL Automation Tool as it parses your password into the batch scripts which then misinterpret the character and throw an error.  I checked the documentation on the Deploying the SSL Certificate Automation tool KB and there is no mention in the known issues section about using “=” for the admin password.  This KB Article from VMware states that there are characters that mustn’t be used with SSO admin password and equals (=) is not one of them!

After changing the SSO password and re-implementing the certificates, everything worked as expected!

This problem occurred because during the vCenter install, a random password generator for the SSO password. It is not in the unsupported list of characters so the installation proceeded as normal.


Leave a Reply

Your email address will not be published. Required fields are marked *