VMware vCenter 6.5 SSL ICA not send
It looks like there is still a bug in vCenter 6.5 to handle the machine SSL certificates correctly. Somehow the vCenter webserver does not send the intermediate certificates also if they are selected with the certificate manager
This result in a broken trust path if you connect from any application or from your web browser to the vCenter web interface. You could verify it also with a simple
echo | openssl s_client -showcerts -connect vcenter.example.com:443
Mostly you could see it in these lines first lines
depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = vcenter.example.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 OU = Domain Control Validated, OU = PositiveSSL, CN = vcenter.example.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/OU=Domain Control Validated/OU=PositiveSSL/CN=vcenter.example.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
I have tried to select the correct intermediate certificate chain in the machine SSL certificate and also in the root certificate or in VMware terms in the "signing certificate of the Machine SSL certificate". Both without any success.
The only thing that worked for me is installing the certificate with a valid chain again via the
Check if the certificate chain are still missing with the following command. If it result in only one certificate I'm sure the chain isn't send from the web server"
$ /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store machine_ssl_cert --alias __MACHINE_CERT
Save the machine certificate (server certificate) and the full chain (including all intermediate certificates) in one
PEM file. The file content should be in the following order:
- machine certificate (server certificate)
- intermediate certificate
#2which signed the machine certificate
- intermediate certificate
#3which signed the intermediate certificate
Also save the machine certificate key on the vCenter server for example both files are saved in
/tmp. Then remove the existing certificate:
$ /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT
If you've saved both files on the server you could install the certificate and key again. Because
/tmp/cert_with_chain.crt includes the full chain it will also send from the vCenter web server correctly:
$ /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert /tmp/cert_with_chain.crt --key /tmp/cert.key
Restart the virtual machine or restart the services of the vCenter!