Symptoms

The customer is using custom certificates for vCenter.During the validation process, they receive the error "Failed to validate the certificate of vCenter_FQDN, the reason is: Unknown certificate error."short.term.log: "2023-10-30 15:59:49,783" microservice.nano-service "2023-10-30T15:59:49.504761076Z stdout F 2023-10-30 15:59:49,504 [ERROR] <Dummy-13:140233862194248> validator.py execute() (90): Validation errors: errors=[ {'type': 'THOROUGH-VALIDATOR', 'field': 'vcenter.customer_supplied_vc_name', 'code': 'E3100_Security_CERT_03', 'placeholders': ('[vCenter_FQDN]', 'Unknown certificate error.'), 'message': 'Failed to validate the certificate of [vCenter_FQDN], the reason is: Unknown certificate error.'} -element-service.log RAN: /usr/bin/openssl s_client -connect HOST-[vCenter_FQDN]:443 -verify_return_error -brief -CApath /var/vc-certs/lin -verify_hostname HOST-[vCenter_FQDN] STDOUT: STDERR: depth=1 C = US, O = [Organization], OU = [Organizational Unit], OU = [Organizational Unit], OU = [Organizational Unit] verify error:num=2:unable to get issuer certificate issuer= C = US, O = [Organizational], OU = [Organizational Unit], OU = [Organizational Unit], OU = [Organizational Unit] 139640339437376:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1915:

Cause

SSH to the vCenter Server VM and run: root@vcsa [ ~ ]# cd /etc/vmware-vpx/docRoot/certs root@vcsa [ /etc/vmware-vpx/docRoot/certs ]# ls 629444d0.r1 b8de189b.0 b8de189b.r1 There are two certificates (629444d0 and bide189b). Notice 629444d0 does not have a corresponding 629444d0.0 file for the certificate chain.

Resolution

Remove the in-valid certificate per VMware Knowledge Article Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store (VECS) (2146011).Re-add the certificate per VMware Knowledge Article How To Use vSphere Certificate Manager To Replace SSL Certificates .

Support Cases