Loading...
Loading...
vCenter Server registration to Cloud Gateway fails with error message
This document describes the possible precheck failures that can occur during the vCenter registration process on Cloud Gateway and provides information to address them.
Checks on the vCenter certificate will be performed during vCenter registration on vCenter Cloud Gateway. These check covers the most common operations that depend on the validity of the vCenter server certificate to establish a TLS connection between the gateway and vCenter. This precheck can fail due to some issues in vCenter configurations or some other network problems.
The VC registration page will produce the following error messages when the VC certificate precheck fails Error MessageDescriptionKnown IssuesResolutionThe vCenter Management Interface is not using the machine SSL certificate for the vCenter Server applianceThe gateway detects that the SSL certificate used during the handshake with vCenter's Appliance Management Interface (VAMI, port 5480) didn't match the vCenter's SSL certificate from port 443After changing the vCenter's SSL certificates, the VMware Appliance Management Interface (VAMI) accessed through Port 5480 (https://<VC_FQDN>:5480 does not use the new SSL certificate yet.Please follow 2. "Resolving VMware Appliance Management Interface (VAMI) certificate issue " to validate and resolve the issue.The issue can happen if there is a proxy configured between Cloud Gateway (GW) and vCenter that intercepts the certificate. Please follow 1. "Resolving proxy issues " to resolve issues related to the proxy.Inconsistent vCenter server certificate thumbprint during registrationDuring vCenter registration, the gateway detects that the SSL certificate thumbprint obtained during the SSL handshake differs from the initial certificate thumbprint value provided by VC registration UIThe issue can happen if there is a proxy configured between GW and vCenter that intercepts the certificatePlease follow 1. "Resolving proxy issues " to resolve all issues related to the proxy.Inconsistent vCenter certificate in the lookup serviceDuring vCenter registration, the gateway failed to connect to VC service using the provided certificate thumbprintThe issue can happen if there is a proxy configured between GW and vCenter that intercepts the certificate. Please follow 1. "Resolving proxy issues " to resolve all issues related to the proxy.vCenter server TLS certificate doesn't match to TLS certificate obtained from the certificate management serviceThe vCenter TLS certificate obtained from the SSL handshake between GW and vCenter doesn't match the vCenter server TLS certificate obtained from the certificate management service. The issue can happen if there is a proxy configured between GW and vCenter that intercepts the certificate. Please follow 1. "Resolving proxy issues " to resolve all issues related to the proxy.Failed to obtain the certificate management serviceDuring vCenter registration, the gateway failed to get the service endpoint of the vCenter Certificate management service.Configuration issue in the service registrationPlease follow the procedure in 3. "Resolving issues in the Lookup service " to address this issue.The certificate management service is unreachableDuring vCenter registration, the gateway failed to connect to the vCenter certificate management service endpointThis indicates an intermittent network issue. Please retry the VC registration after a whileThis typically will not happen since all the operations prior to this had worked normally.Configuration issue in the service registrationPlease follow the procedure in 3. "Resolving issues in the Lookup service " to address this issue.Failed to validate certificate used by certificate management serviceThe validation of the certificate used by the certificate management service endpoint failed. SSL connection to the endpoint couldn't be established due to this.Configuration issue in the service registration. The certificates in the endpoint's sslTrust must contain the correct certificates to validate the endpoint certificate during the SSL handshake.Please follow 3. "Resolving issues in the Lookup service " to address this issue.Failed to validate vCenter server certificateThe validation on the VC server certificate using the trusted root CA failed.Some root certificates might be missing in the trust store of the GW. This can happen if some certificate operations in the past might have accidentally removed the required root certificate from the trust store.Since the root CA certificates are pushed to the GW Trust store during VC certificate update/replace, please try to replace or update the GW Trust store again to resolve the issue. Please refer to 4. "Replacing vCenter certificate " for the procedure.Failed to verify vCenter hostname in the vCenter server certificateThe validation on the VC server certificate using trusted root CA certificates provided by the certificate management service failed. The validation failure is not in certificate chain validation but in the hostname verification.The certificate doesn't contain the Common Name or Subject Alternative Name extension that matches the VC hostname used to register on the gateway.Please register vCenter on the gateway using VC FQDN that matches the vCenter's SSL certificate's SAN entry. If the VC needs to be registered using an IP address, then ensure that the certificate contains a SAN entry with this IP address. If the certificate's SAN doesn't contain the required entry (FQDN or IP address), please follow the procedure in 4. "Replacing vCenter certificate " to replace the vCenter certificate with the required information. Solutions 1. Resolving proxy issues 1.1. Validating no proxy between Cloud Gateway (GW) and vCenter There should be no proxy between GW and vCenter. If a proxy is set on the GW, all vCenters need to be excluded from the proxy. From GW UI, you can check and modify the setting from here: https://<GW_FQDN>:5480/#/ui/networking You also can check the setting manually from the command line. Login into the GW machineValidate that HTTPS_PROXY is not set in /etc/sysonfig/proxy config file. If it is set, then ensure that all vCenter hostnames to be registered are covered in the NO_PROXY list.Additionally, check that the settings are applied in the environment variable using the following command: env | grep -i proxy 1.2. Detecting transparent proxy with certificate interception Even if no proxy is set on the GW, there are some cases where a transparent proxy exists between the gateway and vCenter. If the proxy intercepts certificates sent by vCenter during an SSL handshake, the gateway may be unable to validate the vCenter certificate properly. If you're not sure whether a transparent proxy is intercepting SSL connections between GW and vCenter, please use the following procedure to detect the proxy existence: Login into the vCenter server, and get the certificate thumbprint using the following command: openssl s_client -connect localhost:443 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -noout openssl s_client -connect localhost:5480 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -noout Login into the gateway, and obtain the VC certificate thumbprint from the SSL handshake using the following command: openssl s_client -connect <VC_FQDN>:443 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -noout openssl s_client -connect <VC_FQDN>:5480 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -noout If the thumbprints from the commands above are different, then there is a transparent proxy that intercepts certificates between the gateway and vCenter server. To resolve the issue with a transparent proxy, all vCenter servers must be whitelisted and excluded from certificate interception. Please contact your network administrator to apply the settings. 2. Resolving VMware Appliance Management Interface (VAMI) certificate issue 2.1. Checking if VAMI is using a different SSL certificate Login into the vCenter serverGet certificate thumbprints by performing an SSL connection with ports 443 and 5480 openssl s_client -connect localhost:443 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -noout openssl s_client -connect localhost:5480 < /dev/null 2> /dev/null | openssl x509 -fingerprint -sha256 -nooutIf the certificate thumbprints don't match, continue to 2.2 to resolve the issue. 2.2. Updating VAMI certificate Please follow the procedure in the following KB document to update the VAMI certificate: VAMI does not display the new certificate after changing vCenter Server Appliance 6.x certificates 3. Resolving issues in the Lookup service The various type of misconfiguration in the service registration in the lookup service may cause failure in the VC registration precheck. Typically, a misconfiguration of the hostname part in endpointUrl and the certificates in sslTrust from the service endpoint are causing the precheck issue. Please use the lsdoctor tool described in the following KB document to detect and fix these configuration issues. Using the 'lsdoctor' Tool 4. Replacing vCenter certificate 4.1. Certificate issued by 3rd party CA Follow the KB document to replace the vCenter certificate signed by 3rd party CA. Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate Notes: Use the vCenter FQDN in the "Name" and "Hostname" when generating Certificate Signing Request (CSR)If vCenter needs to be registered using an IP address, ensure to provide the correct IP address in the "IPAddress" question. 4.2. Certificate issued by VMware Certificate Authority You can use the following KB document to regenerate the vCenter certificate issued by VMCA. Replacing the vSphere 6.x Machine SSL certificate with a VMware Certificate Authority issued certificate Notes: Please ensure to use the correct vCenter FQDN in "Hostname" and "VMCA Name".If the vCenter needs to be registered using the IP address, please specify the correct IP address in the "IPAddress" question.
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.