One of the main innovations in VMware Integrated Containers 1.3 (VIC) is the extended plugin for vSphere Client UI (html5) with which you can configure and run the VMware Container Host (VCH). This plugin depends on the correct SSL configuration in vCenter. And here the river theme appears, what is the correct configuration? As it turns out, everyone who has generated a certificate from VMCA signed by Root CA (aka custom certificate) has an almost good configuration. Where the problem arises, I will describe below.
We will start from scratch, we have launched VIC according to the instructions, the plugin has been uploaded correctly but it does not work (it does not show any content). In the log:
/storage/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log
A message appears (plus many more):
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Server certificate chain is not trusted and thumbprint doesn’t match
This problem has affected many people, after a long investigation it turned out that the problem is a CA certificate (Root or VMCA) attached to the machine certificate. By entering the address https: // vCenter / psc we can review the current content of VMware VECS, including the __MACHINE_CERT store:
As you can see __MACHINE_CERT contains in addition to the machine certificate a CA certificate (VMCA) which signed the certificate. And this is not the right situation. Unfortunately, to correct this problem, you must regenerate (if you do not have an old one) or re-upload your certificate without a CA certificate. It looks like this correctly:
From now on, all operations performed from the VIC level of the html5 plugin will work without any problem.