In vSphere 6.x all services and components have Service Registration details recorded in the VMware Directory Service of the Platform Services Controller.
Each Service Registration can contain one or more Endpoint entries.
Each Endpoint may contain an SSL Trust value.
The SSL Trust value must always match the current Machine SSL certificate of the PSC or VC or Embedded node it refers to.
If you use the Certificate-Manager from 6.0 U1b or later – the tool will take care of updating these entries. If you replace the Machine SSL manually or have used the tool before 6.0 U1b then you may encounter this issue.
You can also use Jxplorer to view the values
If your SSL Trust values do not match their respective Machine SSL certificate then you will see issues with other solutions in your vSphere 6.x environment. For details of the errors experienced please see the following KB https://kb.vmware.com/kb/2109074
To fix these SSL Trust values you must use the ls_update_certs.py script. There is a KB article on this process but it can be a bit daunting. https://kb.vmware.com/kb/2121689
Running ls_update_certs.py takes the following syntax and must be run on Platform Services Control or Embedded node.
Appliance:
python /usr/lib/vmidentity/tools/scripts/ls_update_certs.py --url http://localhost:7080/lookupservice/sdk --fingerprint <thumbprint_of_SSL_Trust> --certfile <Machine_SSL_CERT> --user administrator@vsphere.local --password p@s$w0rd
Windows:
"%VMWARE_PYTHON_BIN%" "C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\"ls_update_certs.py --url http://localhost:7080/lookupservice/sdk --fingerprint <thumbprint_of_SSL_Trust> --certfile <Machine_SSL_CERT> --user administrator@vsphere.local --password p@s$w0rd
Note: If using http://localhost:7080/lookupservice/sdk doesn’t work, change to https://<actual_fqdn>/lookupservice/sdk
This script effectively queries VMDir and updates all Endpoints with a certificate matching <thumbprint_of_SSL_Trust> and replaced it with <Machine_SSL_CERT>
Compare the Machine SSL Certificate and SSL Trust Value
vCenter Server / PSC 6.x Appliance
Get the current Machine SSL Certificate <Machine_SSL_CERT>
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /tmp/machineSSL.crt
Get the Node ID
cat /etc/vmware/install-defaults/vmdir.ldu-guid
List the ComponentManager ServiceRegistration for that Node ID and snip the output back to the FQDN and SSL Trust. Copy the SSL Trust value to the clip-board
python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --type cs.componentmanager --node e8602247-e644-4b9d-ae07-9677c27da9cd 2> /dev/null | grep -B 1 "SSL trust"
Prepare a new Certificate File
echo "-----BEGIN CERTIFICATE-----" >> /tmp/sslTrust.crt ; echo "-----END CERTIFICATE-----" >> /tmp/sslTrust.crt
Edit the file and paste the value of SSL Trust from the previous output
vi /tmp/sslTrust.crt
Get the Thumbprint of the Machine SSL Certificate
openssl x509 -in /tmp/machineSSL.crt -fingerprint -noout
Get the Thumbprint of the SSL Trust value <thumbprint_of_SSL_Trust>
openssl x509 -in /tmp/sslTrust.crt -fingerprint -noout
If the two thumbprints match then you don’t have anything to do. If the two thumbprints differ then you need to run ls_update_certs.py passing in the Machine SSL certificate exported above and the SSL Trust Thumbprint exported above.
vCenter Server / PSC 6.x Windows
Get the current Machine SSL Certificate <Machine_SSL_CERT>
"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output C:\machineSSL.crt
Get the Node ID
type C:\ProgramData\VMware\vCenterServer\cfg\install-defaults\vmdir.ldu-guid
List the ComponentManager ServiceRegistration for that Node ID. Copy the SSL Trust value to the clip-board.
"%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" list --url http://localhost:7080/lookupservice/sdk --type cs.componentmanager --node 9b747a11-e7a9-11e6-a715-005056ae96ee 2>NUL
Prepare a new Certificate File
echo -----BEGIN CERTIFICATE----- >> C:\sslTrust.crt & echo -----END CERTIFICATE----- >> C:\sslTrust.crt
Edit the file and paste the value of SSL Trust from the previous output and save the file.
notepad C:\sslTrust.crt
Get the Thumbprint of the SSL Trust value <thumbprint_of_SSL_Trust>
"%VMWARE_OPENSSL_BIN%" x509 -in C:\sslTrust.crt -fingerprint -noout 2>NUL
Get the Thumbprint of the Machine SSL Certificate
"%VMWARE_OPENSSL_BIN%" x509 -in C:\machineSSL.crt -fingerprint -noout 2>NUL
If the two thumbprints match then you don’t have anything to do. If the two thumbprints differ then you need to run ls_update_certs.py passing in the Machine SSL certificate exported above and the SSL Trust Thumbprint exported above.
have you tried reinstalling? 