Piszki Lab | EN

My case study in the clouds…

Error connecting to VMware CEIP – Server chain certificate is not trusted (with external PSC)

| 0 comments

In our configuration (as a past after vSphere 5.5) we have a vCenter server with external PSC. When testing vSAN, we decided to join to the VMware CEIP program due to the extension of vSAN cluster monitoring. Unfortunately, the connection turned out to be unsuccessful. After a long search for the cause, it turned out that the error (as usual) is in the certificate. In the virgo log of the vSphere client (flex and html5), the following errors were shown (Server certificate chain is not trusted and thumbprint does not match):

sso2

sso1

 

I will add that in case of vCenter and PSC we use certificates signed by our own CA and VM CA functions as SubCA. After checking, it turned out to our surprise that the main SSO certificate is signed by the RSA Identity and Access Toolkit Root CA. In order not to make a big fuss, we decided not to regenerate this certificate, but only to check if RSA Root CA is present in the trusted key store in vCenter.

sso3

It turned out that not (and not only him), fortunately, it was enough to export the appropriate certificate and add it from the vSphere UI client level in the Administration -> Certificate Management section.

sso4

Thanks to this simple trick we managed to solve the problem.

sso5

 

Rate this article:
[Total: 0    Average: 0/5]

Author: Piotr Pisz

Computer always, since I got a Commodore 64 at the end of primary school, through his beloved Amiga and Linux infinite number of consoles, until today, fully virtual day. Since 2001, Unix/Linux Systems Administrator, for seven years a faithful companion and protector of Solaris system, until his sad end. In the year 2011 came in the depths of virtualization, then smoothly ascended into the clouds and continues there today. Professionally working as Systems Architect in the Polish Security Printing Works.

Leave a Reply

Required fields are marked *.


.

Enjoyed the post? Support Piszki Lab | EN, click on the AD! :-)

.