Good afternoon all,
I am troubleshooting a problem that is prevening the VIC from connecting to Vcenter after replacement of the machine SSL certificate with third party signed certificate.
Debugging Steps:
- Reviewed VIClient logs: all messages indicated timeout or no response from the VCenter.
- Reviewed the vcenter logs: /var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log and did not see any interesting/useful errors.
- Noted that the vsphere VAMI interface (https:/</hostname>:5480/login.html:) does not show the new, third party signed certificate and continues to show the original, self-signed certificate.
- Restarted all services on both the VCenter appliance and External PSC
- When logging into the web client, log messages appear in the External PSC Controller indicating a successful authentication. Log messages *do not* appear in the PSC when using the VIClient.
- Reviewed the SSO Domain certificate store and ensured that the root and intermediate CA certificates were in the domain and trusted.
- Checked the MOB (https://<hostname>/lookupservice/mob?moid=ServiceRegistration&method=List) and confirmed that the new cert was listed correctly for all services.
Any advice or help would be appreciated. I wanted to see if anybody had any ideas before I opened a support case with VMware.
Good afternoon,
I wanted to circle back and and provide some updates to this issue. Through a little bit of diagnostic work with Wireshark, I confirmed that the VIClient was not timing out trying to connect to VCenter, but rather timing out trying to connect the pki certificate CRL server listed in the AIX field of the certificate. Since the VIClient was not able to download the CRL and verify that the certificate was valid, the login process would timeout.
To the best of my understanding, this process was not strictly enforced in the VI 5 Client days, so, VMware must have implemented stricter checking in the VI 6 Client and refuses to move forward without a valid CRL.
We are looking into the issues on why the VI Client cannot connect to the hosts listed in the AIX field of the VCenter cert, but when we put work arounds in place, the VIClient successfully connects.
Thanks
Hello,
I know this is an old thread, but we have the exact same issue in a disconnected enterprise network.
Could you detail a little about the workarounds you put in place for this issue ?