Black Manticore

vSphere Web Client error: Failed to verify the SSL certificate for one or more vCenter Server System

by lunarg on July 3rd 2015, at 15:39

The vSphere Web Client may display the following error:

Failed to verify the SSL certificate for one or more vCenter Server Systems: https://vCenter-Server-FQDN:443/sdk

Could not connect to one or more vCenter Server Systems:https://vCenterFQDN:443/sdk

Additionally, objects such as hosts or VMs are not displayed in the vSphere Web Client.

Cause

These errors usually occur with a re-installation or upgrade of vCenter Server, where the vCenter Server is registered to the same vSphere SSO more than once.

The faulty registration needs to be resolved by unregistered all duplicate vCenter Server instances from vSphere SSO, so only the correct registrations remain.

Resolution

You will have to unregister all incorrect vCenter Server registrations from vSphere SSO. To determine and unregister these entries, follow the steps outlined below.

Be sure to select the instructions for the correct vSphere version. The instructions assume default installation paths. If vCenter was installed in a location other than the default, be sure to adjust accordingly.

The formatting of ServiceID will be different between versions of vSphere, but if you've upgraded vCenter Server, it may be possible older notations are used among newer ones. Be sure to exactly match the ServiceID, even if the current version of vSphere is different.

vSphere 5.x

First, we have to retrieve a list of services currently registered with the vSphere SSO.

Log on to the server with vSphere SSO installed. If you only have one vCenter Server, this will probably be the same server.
Open an elevated command prompt, and navigate to the folder:
- vSphere 5.1: %PROGRAMFILES%\VMware\Infrastructure\SSOServer\ssolscli
- vSphere 5.5: %PROGRAMFILES%\VMware\Infrastructure\VMware\CIS\vmware-sso
Set the JAVA_HOME environment variable to specify the JRE installed with vSphere. Note that you may have to verify the path if multiple installations have been done in the past (could be \jre1 instead of \jre).
- vSphere 5.1:
```
set JAVA_HOME=C:\Program Files\VMware\Infrastructure\jre
```
- vSphere 5.5:
```
set JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components
```

Output a list of services registered with vSphere SSO to a (temporary) text file:

ssolscli.cmd listServices https://vCenter_Single_Sign-on_FQDN:7444/lookupservice/sdk > c:\sso_services.txt

Open the generated text file to view the list of services and reveal their unique ServiceIDs. These ServiceIDs are required to unregister invalid services.

The output of the temporary file should be similar to:

vSphere 5.1:
Service 1
-----------
serviceId={93135931-7B87-4B11-B6FC-236A8849B728}:2
serviceName=vCenterService
type=urn:vc
endpoints={[url=https://FQDN:443/sdk,protocol=vmomi]}
version=5.1
description=vCenter Server
ownerId=vCenterServer_2013.10.10_163108@System-Domain
productId=
viSite={93135931-7B87-4B11-B6FC-236A8849B728}

Service 2
-----------
serviceId={93135931-7B87-4B11-B6FC-236A8849B728}:1
serviceName=vCenterService
type=urn:vc
endpoints={[url=https://FQDN:443/sdk,protocol=vmomi]}
version=5.1
description=vCenter Server
ownerId=vCenterServer_2013.10.10_163123@System-Domain
productId=
viSite={93135931-7B87-4B11-B6FC-236A8849B728}
vSphere 5.5
Service 1
-----------
serviceId=Site Name:02dde295-422a-403e-b32c-1e40c3f188fd
serviceName=vCenterService
type=urn:vc
endpoints={[url=https://FQDN:443/sdk,protocol=vmomi]}
version=5.1
description=vCenter Server
ownerId=vCenterServer_2013.10.10_163108@System-Domain
productId=
viSite=Site Name

Service 2
-----------
serviceId=Site Name:811660f9-f110-4ee7-8f9e-dc0dd1d062fe
serviceName=vCenterService
type=urn:vc
endpoints={[url=https://FQDN:443/sdk,protocol=vmomi]}
version=5.1
description=vCenter Server
ownerId=vCenterServer_2013.10.10_163123@System-Domain
productId=
viSite=Site Name

Verify the contents of the file. If there's only one vCenter Server (i.e. non-linked configuration), there should be only one vCenter Server registered with vSphere SSO. Also, if it is a linked configuration, there should only be one registration per vCenter Server. You need to unregister each invalid vCenter Server (or duplicate of a vCenter Server), until there's only one registration per vCenter Server registered with SSO.

You can retrieve and identify vCenter Servers by checking their ServiceID in the config file vpxd.cfg (location: %PROGRAMDATA%\VMware\VMware VirtualCenter). The file should look similar to this:

<lookupService>
<serviceId>{9300C2AC-4D97-4191-8EB1-387D9823E6E3}:23</serviceId>
</lookupService>
<solutionUser>
<name>vCenterServer_2013.02.28_170324</name>
</solutionUser>

Once you verified the ServiceIDs to be unregistered from the vSphere SSO, continue to unregister each, following the procedure outlined below. These steps need to be done for each of the services that need to be unregistered from vSphere SSO.

Create a text file (e.g. C:\serviceid.txt, which contains only the entire ServiceID of the service that needs to be unregistered.
For example:
- vSphere 5.1:
  {93135931-7B87-4B11-B6FC-236A8849B728}:2
- vSphere 5.5:
  Site Name:02dde295-422a-403e-b32c-1e40c3f188fd
Once the file was created, unregister the service by running the following command, referencing the text file created in step 1:
- vSphere 5.1:
```
ssolscli unregisterService -d https://vCenter_Single_Sign-On_FQDN:7444/lookupservice/sdk -u admin@system-domain -p SSO_Password -si c:\serviceID.txt
```
- vSphere 5.5:
```
ssolscli unregisterService -d https://vCenter_Single_Sign-On_FQDN:7444/lookupservice/sdk -u administrator@vsphere.local -p SSO_Password -si c:\serviceID.txt
```
Note that the FQDN of the vCenter/vSphere SSO does not have to be the same as where a vCenter Server is installed. Replace accordingly.
Also note that if you've enabled AD users to authenticate against vSphere SSO, and have set up the correct permissions, you could also use an AD account to perform this operation.

If the correct services were unregistered, try logging back in to the vsphere Web Client. Verify that the error message no longer appears.

If the error still remains, you may have to replace the SSL certificates:

vSphere 5.1: see Deploying and using the SSL Certificate Automation Tool 1.0.x (2041600)
vSphere 5.5: see Deploying and using the SSL Certificate Automation Tool 5.5 (2057340)

If the issue is still not resolved, you may have to completely uninstall and re-install vMWare vCenter.

vSphere 6.0

Although the basic are similar, vSphere 6.0 has been redesigned from the ground up, and uses a different approach. The steps are similar whether you are running the Windows version of vSphere 6.0, or running the appliance.

Windows:

Retrieve a list of all services registered with Platform Services Controller.

Log on to the server that has the Platform Services Controller installed.

Open an elevated command prompt and run the following command, outputting a list of services to a temporary text file (in this case, called psc_services.txt):

"%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" list --url http://localhost:7080/lookupservice/sdk --type vcenterserver > c:\psc_services.txt

Open the generated text file to view the list of services and reveal their unique ServiceIDs. These ServiceIDs are required to unregister invalid services.

The output of the temporary file should be something similar to this:

Name: AboutInfo.vpx.name
Description: AboutInfo.vpx.name
Service Product: com.vmware.cis
Service Type: vcenterserver
Service ID: 608AF497-B198-40D1-9855-545533A488AF
Site ID: home-office
Node ID: 86ca3bf1-9201-11e3-8f19-000c29562ae2
Owner ID: vpxd-86ca3bf1-9201-11e3-8f19-000c29562ae2@vsphere.local
Version: 6.0
Endpoints:
Type: com.vmware.cis.workflow
Protocol: vmomi
URL: http://vCenter1.domain.local:8088
SSL trust:

Name: AboutInfo.vpx.name
Description: AboutInfo.vpx.name
Service Product: com.vmware.cis
Service Type: vcenterserver
Service ID: 6ae3bf1a-9318-4a33-b2cb-d2eaa7a306c5
Site ID: home-office
Node ID: 86ca3bf1-9201-11e3-8f19-000c29562ae2
Owner ID: vpxd-bf048b3a-231e-40b0-96ea-e5792f7fa65b@vsphere.local
Version: 6.0
Endpoints:
Type: com.vmware.cis.workflow
Protocol: vmomi
URL: http://vCenter2.domain.local:8088
SSL trust:

Name: vCenterService
Description: vCenter Server
Service Product: com.vmware.cis
Service Type: vcenterserver
Service ID: default-first-site:01c98f18-770a-41c2-a967-b7a4b574cad2
Site ID: default-first-site
Owner ID: vCenterServer_2015.04.20_143355@vsphere.local
Version: 5.5
Endpoints:
Type: com.vmware.vim
Protocol: vmomi
URL: https://Legacy_vCenter.domain.local:443/sdk

To unregister the duplicate service:

Log on to the server that has the Platform Services Controller installed.
Open an elevated command prompt.
Unregister the duplicate service endpoint by running this command:
```
"%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" unregister --url http://localhost:7080/lookupservice/sdk --id ServiceID from Step 4 --user "administrator@vsphere.local" --password "administrator_password" --no-check-cert
```
Replace ServiceID with the service ID to unregister, and correct the username and password. Note that if your vCenter is AD integrated, you may also be able to use a domain account if the required permissions have been set up correctly for that account.

If the duplicate services were unregistered, try logging back in to the vsphere Web Client. Verify that the error message no longer appears.

Appliance:

Retrieve a list of all services registered with Platform Services Controller.

Connect to the Platform Services Controller through SSH. (You can use PuTTY for this.)
Run the following command to enable access to the bash shell:
```
shell.set --enabled true
```
Type the following command to enter the bash shell:
```
shell
```

Output a list of services registered with the Platform Services Controller to a temporary text file.

/usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --type vcenterserver > /tmp/psc_services.txt

The output of the temporary file should be something similar to this:

Name: AboutInfo.vpx.name
Description: AboutInfo.vpx.name
Service Product: com.vmware.cis
Service Type: vcenterserver
Service ID: 1dbc3e9f-626d-4314-8731-ca744a0d9f4b
Site ID: home
Node ID: d3eba55a-d4df-11e4-b3f7-000c2987c143
Owner ID: vpxd-2752b8d1-e68b-49f8-8c92-ce3f042bf487@vsphere.local
Version: 6.0
Endpoints:
Type: com.vmware.cis.workflow
Protocol: vmomi
URL: http://vcsa2.domain.local:8088

Name: AboutInfo.vpx.name
Description: AboutInfo.vpx.name
Service Product: com.vmware.cis
Service Type: vcenterserver
Service ID: 6ae3bf1a-9318-4a33-b2cb-d2eaa7a306c5
Site ID: home
Node ID: 44b05c52-d4d3-11e4-830b-000c29a0e10e
Owner ID: vpxd-bf048b3a-231e-40b0-96ea-e5792f7fa65b@vsphere.local
Version: 6.0
Endpoints:
Type: com.vmware.cis.workflow
Protocol: vmomi
URL: http://vcsa1.domain.local:8088

To unregister the duplicate service endpoint, run this command in the shell (on the Platform Service Controller):

If you're not logged in, perform steps 1 - 3 of the previous set of steps to log back in on the Platform Services Controller and enter the bash shell.
Run the following command to unregister the duplicate service endpoint:
```
/usr/lib/vmidentity/tools/scripts/lstool.py unregister --url http://localhost:7080/lookupservice/sdk --id ServiceID --user 'administrator@vsphere.local' --password 'administrator_password' --no-check-cert
```
Replace ServiceID with the service ID to unregister, and correct the username and password. Note that if your vCenter is AD integrated, you may also be able to use a domain account if the required permissions have been set up correctly for that account.

If the duplicate services were unregistered, try logging back in to the vsphere Web Client. Verify that the error message no longer appears.