Loading...
Loading...
During the initial configuration of a Cloud Director Availability appliance, configuring the lookup service fails and you see a similar error: Failed to connect to lookup service at https://PSC_Address:443/lookupservice/sdk In /opt/vmware/h4/<cloud|manager|replicator|tunnel>/log/<cloud|manager|replicator|tunnel>.log on the Cloud Director Availability appliance, you see a similar error: 2020-04-27 11:51:14.470 ERROR - [UI__55ef4eba-a6c7-444a-9fcb-1049fe259f2a_gh] [https-jsse-nio-8440-exec-3] c.v.h4.common.service.BaseConfigService : Failed to connect to lookup service at https://PSC_Address:443/lookupservice/sdk.com.vmware.exception.GenericSSLException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint verification is not configured at com.vmware.exception.converter.ClientExceptionConverter.convertException(ClientExceptionConverter.java:64) at com.vmware.vlsi.util.ExceptionConverterInterceptor.handleException(ExceptionConverterInterceptor.java:30) at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:254) ...Caused by: com.vmware.vim.vmomi.core.exception.CertificateValidationException: SSL handshake from 0.0.0.0/0.0.0.0:59746 to PSC_Address:443 failed in 113 ms at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.handleHandshakeException(ThumbprintTrustManager.java:597) at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:422) at com.vmware.vim.vmomi.client.http.impl.VlsiSslSocketFactory.verifyHostname(VlsiSslSocketFactory.java:129) at com.vmware.vim.vmomi.client.http.impl.VlsiSslSocketFactory.createLayeredSocket(VlsiSslSocketFactory.java:122) Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
This issue can occur when: The machine SSL certificate of a vCenter Server certificate differs from the certificate stored in the lookup service.The lookup service certificate on port 443 differs to the certificate on port 7444.
Warning: Incorrectly updating certificate information of service registrations may break the functionality of that service.
To verify you are encountering vCenter/lookup service certificate issues, perform the following checks: Lookup service certificate mismatch SSH to the Cloud Director Availability On-Premises appliance and log in as root.Run the following commands against the Platform Services Controller: openssl s_client -connect PSC_Address:443 < /dev/null 2>/dev/null | openssl x509 -fingerprint -nooutopenssl s_client -connect PSC_Address:7444 < /dev/null 2>/dev/null | openssl x509 -fingerprint -noout Compare the outputs to determine if there is a mismatch. vCenter Server certificate mismatch SSH to the Platform Services Controller and log in as root.Use the lstool script to get a list of the registered services on the PSC: vSphere 6.x:/usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk > /tmp/services.txtvSphere 7.0:/usr/lib/vmware-lookupsvc/tools/lstool.py list --url http://localhost:7090/lookupservice/sdk > /tmp/services.txt Open the services.txt file and search for the following section: Service Type: vcenterserver Take note of the endpoint certificate for the service.Run the following command against the vCenter Server: openssl s_client -connect vCenter_Address:443 < /dev/null 2>/dev/null | openssl x509 Compare the certificates from steps 4 and 5 to determine if there is a mismatch. To resolve any certificate mismatch issues, contact VMware Support and note this Article ID (78920) in the problem description. For more information, see How to Submit a Support Request.
For more information on vSphere certificate issues, see: vCenter Server certificate validation error for external solutions in environments with vCenter Server 7.0vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller"Server certificate chain is not trusted and thumbprint verification is not configured" upgrading external SSO Server to vSphere 6.5 PSC
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.