OPERATIONAL DEFECT DATABASE
...
...
After creating a new sts signing certificate chain as per Generate a New STS Signing Certificate on the Appliance, importing the certificate chain using the Web Client failsYou see the following error on the Web Client: "A vCenter Single Sign-On error occurred"The sts certificate is in the correct pk12 format
In an upgraded vCenter Server, the old sts cert is retained in the STS_INTERNAL_SSL_CERT store. The documentation Generate a New STS Signing Certificate on the Appliance expects that the MACHINE_SSL_CERT will be used when creating the sts cert but instead the creation process references the MACHINE_CERT in the STS_INTERNAL_SSL_CERT store.
Ensure you Snapshot the vCenter Server Appliance. If you have external replicating PSCs, shut them all down and snapshot all nodes including vCenter node.
To solve the issue follow the steps given below: Obtain the current rootCA cert: /usr/lib/vmware-vmca/bin/certool --getrootca --cert=/tmp/cacert.crtSave this as cacert.crt on the appliance at your desired location; /tmp/ is provided in the above command as an example.Replace the sts_internal_ssl_cert with the machine cert from the MACHINE_SSL_CERT store. Implement the commands below as you see them one by one: /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > ~/machine.crt/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT > ~/machine.key/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > ~/sts_internal_backup.crt/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > ~/sts_internal_backup.key/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert ~/machine.crt --key ~/machine.key 4. Create the new sts cert. The document Generate a New STS Signing Certificate on the Appliance assumes that the cert at /etc/vmware-sso/keys/ssoserverRoot.crt is the same as the rootca. But when you are on an upgraded as opposed to a newly deployed vCenter Server Appliance, they can be different. So, when going through Generate a New STS Signing Certificate on the Appliance again to create the new sts cert, replace /etc/vmware-sso/keys/ssoserverRoot.crt with <path>/cacert.crt wherever you see it in the opnssl commands 5. Now when importing the root-trust.jks as per Refresh the Security Token Service Certificate it should succeed. 6. Restart all vCenter and PSC services 7. Delete the old sts signing certs from the web client
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
