Hi,
Thanks in advance if anyone could help
Enviroment:
vCAC appliance server: VMware-vCAC-Appliance-6.2.0.0-2330392_OVF10.ova
Identity Appliance:SSO installed with VMware-VIMSetup-all-5.5.0-2442328-20150101-update02(we want to leverage SSO installed with vCenter as Identity Appliance so we didn’t download and install the standalone Identity Appliance)
Deployed and configed vCAC server following “vrealize-automation-62-installation-and-configuration.pdf” using Minimal Deployment Method, however, when login into vRealize Automation console webpage(https://vcac.j.k.l/vcac), after providing username/passowrd, we got the following error:
(The error code changes(ie. is different every time)
Checked in VMware vRealize Automation Appliance management, SSO connected successfully.
Looking into /var/log/vcac/catalone.out we got the following message:
2015-07-01 02:02:09,035 vcac: [component="cafe:shell" priority="WARN" thread="tomcat-http--49" tenant="vsphere.local"] com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted:43 - Untrusted certificate with serial number: [10051561767222306305] and thumbprint: [93:46:75:A5:44:05:09:B2:46:46:C9:5B:52:44:C5:25:CC:EF:92:1E]
2015-07-01 02:02:09,036 vcac: [component="cafe:shell" priority="WARN" thread="tomcat-http--49" tenant="vsphere.local"] com.vmware.vcac.authentication.http.SamlLogoutRequestor.doSendLogoutRequest:107 - Cannot logout principal: [Administrator@VSPHERE.LOCAL] from SSO Server.
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://10.240.252.178/websso/SAML2/SLO/vsphere.local?SAMLRequest=nZJNb9sgGMe%2FisU9YLBxYhS7i5ZWi%2B...........
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:557)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:517)
...
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted certificate chain.
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
Caused by: java.security.cert.CertificateException: Untrusted certificate chain.
at com.vmware.vcac.platform.security.CafeAbstractTrustManager.checkServerTrusted(CafeAbstractTrustManager.java:46)
...
Looking into webpage of , we found the certificate in question is the vCAC server’s certificate(thumbprint in the log and in SSL configuration of VMware vRealize Automation Appliance management webpage is the same):
So, we suspect this exception is caused by SSO not recognize vCAC appliance server’s certificate when SSO trying authenticating vCAC server? If yes, how to add vCAC appliance’s certificate into SSO server? If not ,any advice on this will be appreciated!
Thanks in advance!
It would be really appreciated that any one can help??:smileyplain:
to summarize the question, does anyone know how to add vCAC server certificate to SSO(ie. let the SSO server which installed with vCenter server trust vCAC server's certificate)?
Thanks a lot
This isn't a cert issue. It's a time sync issue. Validate that all components (vRA/SSO/IaaS) are using the same time source, and that the hosts they run on have consistent time.
Grant
Hi,
I was getting a similar error when trying to setup vCloud Usage Meter to collect and report data back to VMware as part of vCloud Air Network. After reading your post, I realized I had configured the vCloud Usage Meter appliance with the wrong timezone. Connections to vCenter servers were fine from the appliance, the only issue was with getting data from vROPs 6. After having the proper timezone in place, the error went away.
Thanks for that!
This is an old post but I found it when I was receiving the 'untrusted certificate' error also. I ended up opening a support ticket and they pointed me to this KB and it fixed my issue. Problem was someone else replaced the external SSO server's cert that vCAC was using. Had to do the steps in the KB to get the SSO cert trusted again. I would recommend copying and pasting the steps into notepad or something put your fqdn's in and then copy to command prompt... I had to do this twice as I typo'ed 2 lines.