Hi Everyone, the surprisingly new version of vCenter does not work with my current SSL from vCenter 7
here are the errors:
1. When trying to insert Sectigo 1yr (Error occurred while fetching tls: Provided certificate using the weak signature algorithm. Please provide the strong signature algorithm certificate)
2. When trying to insert Let's Encrypt (Error occurred while fetching tls: the trustAnchors parameter must be non-empty)
3. When trying to SSL.com 90-days (Error occurred while fetching tls: 0)
4. When trying to insert wildcard not work as well (Wildcard SSL working well with ESXi but not working with Center)
================
I tried to re-issue, I changed the SSL provider, I read every article, and none of them is working
since I was at vCenter 7 all of them except Let's Encrypt working fine
but now none of them working
please give me a solution, appreciate it
Best Regards
Hey @AHMNco :
FYI, I wrote a blog post describing how I was able to get past this error (use a different cert in the CA Bundle). You may want to skip to the Troubleshooting section.
After thousand years nobody even replied, where are the VMware Experts????
I will not be so original and will say to generate a new certificate and to check a certificate template for vCenter7
Highly possible that maybe changes are needed
The problem is not with the certificate, it is with the application of the newly generated certificate into vCenter 8.
so where is the resolution?
where are the VMWare experts??
is nobody gonna come and answer this problem?
same problem!
Same problem and Auto Gen Certificate is Sha256 with rsa:3084 and my certs with Sectigo Sha384 with rsa:8192
Same problem; tried "ecdsa-with-SHA256 + id-ecPublicKey (384 bit)" and "sha384WithRSAEncryption + rsaEncryption (2048 bit)", both without luck.
Default certificate is: "sha256WithRSAEncryption + rsaEncryption (2048 bit)"...
It seems none of the VMWare Experts care about our problem!!!!!
This is what I had to do to fix it for my Sectigo/Comodo certificate:
Longer story: the bad & good certificates have the same key (their RSA Modulus is the same) and the same CN ("USERTrust RSA Certification Authority"), so they can be interchanged, but the bad PEM has been cross-signed (issued) by the old, bad "AAA Certificate Services" (which is self-signed with the weak SHA1 algorithm). The good cert is self-signed with the strong SHA-384 algorithm.
If you feel uncomfortable downloading the cert from a forum (and you should feel uncomfortable), you can view the details of the good certificate here: https://crt.sh/?id=1199354
And you can download a copy of the PEM here: https://crt.sh/?d=1199354
No, not working
I had similar issues and in my case it was due to the path to root certificated being incomplete. Also make sure that any cert in path is at least above sha 1 as version 8 rejects any sha 1 cert. Another approach i took was to delete all related trusted root certs to make sure there is no conflict's. That has t be done from CLI and a slight pain in ass.
Hey @AHMNco :
FYI, I wrote a blog post describing how I was able to get past this error (use a different cert in the CA Bundle). You may want to skip to the Troubleshooting section.
OK good to see some have got it working using public certs. I'm still struggling to replace the machine cert with a cert generated by an internal CA.
acursory look through the logs in /var/log/vmware/certificatemanagement and /var/log/vmware/certificateauthority isn't providing much help either!
Found the error in /var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log:
[2022-11-03T15:31:03.619Z] [ERROR] http-nio-5090-exec-4 com.vmware.vise.mvc.exception.GlobalExceptionHandler Exception handled while processing request for /ui/certificate-ui/ctrl/certificates/tls: com.vmware.vapi.std.errors.Error: Error (com.vmware.vapi.std.errors.error) => {
messages = [LocalizableMessage (com.vmware.vapi.std.localizable_message) => {
id = com.vmware.certificatemanagement.error,
defaultMessage = Exception found (0),
args = [0],
params = <null>,
localized = <null>
}],
data = <null>,
errorType = ERROR
}
Full error attached.
Problem also exists when configuring vCenter login with OpenID Connect in Azure. To access login.microsoft.com, both CA certs from Digicert are needed, but "DigiCert Global Root CA" use "SHA-1 with RSA Encryption" signature algorithm. Importing fails, means also configuring OIDC fails.
It's not that VMware supports 100s of different IDPs. The only one is ADFS and using Microsofts cloud service isn't uncommon.
When checking login.microsoft.com with ssllabs.com, they wrote about the Root CA from Digicert: Weak or insecure signature, but no impact on root certificate
VMware, please fix it. Thanks.
Same issue here. Reverting back to vCenter 7....
vSphere 8.0 (vCenter Server and ESXi ) do not support certificate with weak signature algorithms, such as sha1WithRSAEncryption.
Just check if the certificate you are using is with weak signature algorithms. Check the below KB for more details.
Hey @BrianCunnie I followed your instructions from your blog post, even purchasing the exact certificate you purchased and attempted this with vCenter 8.
First, I created via
CN=vcenter-80.nono.io # "CN" is the abbreviation for "Common Name"
openssl genrsa -out $CN.key 3072
openssl req \
-new \
-key $CN.key \
-out $CN.csr \
-sha256 \
-subj "/C=US/ST=California/L=San Francisco/O=nono.io/OU=homelab/CN=${CN}/emailAddress=brian.cunnie@gmail.com" \
-config <(cat <<EOF
[ req ]
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${CN}
EOF
)
(obviously, I changed the values).
I then requested a certificate from SSls.com, and we purchased their least-expensive offering, the PositiveSSL 1 domain Comodo SSL.
(using the same disclaimer):
[We do not endorse either SSLs.com or Sectigo (formerly Comodo); We encourage you to use the reseller and the Certificate Authority (CA) with which you are most comfortable].
They then provided me with the two files. vcenter.domain.co.crt and vcenter_domain_co.ca-bundle
Then we followed the instructions from your blog post:
After doing this, vCenter reports: "Error occurred while fetching tls: Invalid input, not a valid PEM formatted Primary Key"
- On your vCenter, navigate to Menu → Administration → Certificates → Certificate Management
- On the __MACHINE_CERT tile, click Actions, select Import and Replace Certificate.
- Select Replace with external CA certificate(requires private key).
- Machine SSL Certificate: click Browse File and select vcenter.domain.crt
- Chain of trusted root certificates: click Browse File and select vcenter_domain_co.ca-bundle
- Private Key: click Browse File and select vcenter_domain_co.ca-bundle
- Click Replace.
I've been beating my head all day with this. vCenter logs aren't much of a help. Did you have to do anything else, or am I just missing a step?