Dude! Where’s my vCSA SSL Cert chain?

Well, it certainly has been a while since my last post. The justification for my absence in recent months is due to the birth of my son! He is our first and so work/career life has taken a bit of back burner so I can enjoy family time being a new Dad. It’s a great experience and I’m loving it!

Right, to the issue at hand. Recently, a few of my colleagues were working on applying SSL certificates to a vCSA which drives our test environment. We were applying a trusted third party SSL certificate (from Quo Vadis) to our appliance and used the following KB:

Replacing vSphere 6.0 SSL Certificate with a custom CA Signed Cert

However, we needed to modify the .CSR but were having difficulty so this KB cleared things up for us:

Certificate Manager Utility not utilizing certool.cfg for CSR generation

Finally, we had what we needed but kept seeing roll back. This was because we had to download the certificate chain and present it to vCenter using this KB:

Replacing certificates using VMware vSphere 6.0 Certificate Manager fails at 0% with the error: Operation failed, performing automatic rollback

This appeared to work. Browsing to the web console of the vCSA showed a valid certificate from a variety of browsers on Windows machines but something wasn’t quite right our bespoke provisioning system stopped working..

Upon a little investigation when connecting via openssl to the vCSA address, we received the errors:

“Unable to get local issuer certificate”
“certificate not trusted”
“unable to verify the first certificate”

This was a problem for us as our bespoke provisioning system was not able to establish a connection to the vCSA.

The full error output is here (I appreciate it’s not code but its much easier to read on my blog):

My colleague resolved the issue by noting that the proxy configurations for service endpoints were not updated with the intermediate certificate. This can be fixed by doing the following:

1) Navigate to /etc/vmware-rhttpproxy/ssl on the vCSA.

2) Note the trustedCerts.pem file which upon initial investigation has no content! Copy and paste in the content of your Intermediate certificate (from your issuing CA) into trustedCerts.pem.

vcsaSSL3

3) Open config.xml file an an editor and find the line:

vcsaSSL1

4) Uncomment the line to ensure it is read in the config:

/etc/vmware-rhttpproxy/ssl/trustedCerts.pem

vcsaSSL2

5) Save the file and run a service restart:

Once complete, with another test to openssl the following should be observed – error free:

That is it really, nothing too special. We couldn’t find this fix in any of the VMware KB articles detailing SSL certificates. For most people, I doubt that would even notice due to browsers understanding the chain already with their built-in trusts. When you are programatically accessing the vCSA to make API calls, that is when the fun started.

100% of the credit and hardwork goes to my colleagues @claytonpeters and @dfgrain.

Leave a Reply

Your email address will not be published. Required fields are marked *