Comment thread started by black88mx6 on Virtual Machine Desired State Configuration

Hello!

We have vmware self signed certs as part of our 7.x vcenter but still get " x509: certificate signed by unknown authority" in our vmdsc.log - is this expected behavior? We are unable to make any connections on port 8010 with powershell or postman.

Hi There! Can you confirm you are using the vCenter FQDN and not the IP address? Also, ensure the FQDN does not include the "https://".

Confirmed that there is no https:// in front of the FQDN of my VC. Also that it is not using an IP address. My VC has been upgraded many times since 5.x - so there is most likely some legacy cert issues here and I will try and open a case with support to look at. This issue did not happen in my lab were all VM's were fresh.

Have you tried specifying the CA Certificate URL when deploying the VMDSC appliance? The instructions can be found in Section 3.4, Step 11 of the user guide.

Yes, but the VC self signed cert doesn't have an "Authority Information Access field" to use.

Give this a shot... SSH to the VMDSC appliance and run the following commands from the /home/vmdsc/config directory replacing the "VC-FQDN" with your vCenter FQDN:

curl -k https://VC-FQDN/afd/vecs/ca --output ca.cer
openssl x509 -inform der -in ca.cer -out ca-cert.pem
curl -i -vv --cacert ca-cert.pem https://VC-FQDN

I am curious what the output looks like.

I believe that this is the result of an expectation that all VC's are fresh and that the cert template used was not from 2015...

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0curl: (6) Could not resolve host: VC-FQDN

Error opening Certificate ca.cer
140266295118592:error:02001002:system library:fopen:No such file or directory:bss_file.c:413:fopen('ca.cer','r')
140266295118592:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:415:
unable to load certificate

* Could not resolve host: VC-FQDN
* Closing connection 0
curl: (6) Could not resolve host: VC-FQDN

It looks like you forgot to substitute your vCenter FQDN into the commands based on the "Could not resolve host: VC-FQDN" error.

Got it; not output for the middle command.

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 1071 100 1071 0 0 44547 0 --:--:-- --:--:-- --:--:-- 46565

* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: ca-cert.pem
* CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Hmmm, it definitely looks like you have some old legacy certificate chain issues. If you inspect the vCenter certificate can you identify the self signed CA certs in the chain?

I have the same issue, self-signed CA certs
really want to start working with this, is there any workaround for this?

We are investigating this issue further and hope to provide a workaround soon.

Confirmed that VMDSC fling works after we re-generated our vcenter self signed machine cert.

That is great to hear, thank you for the update!

That is what I am expecting. I have this on the root of my chain;

This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.