Creating a new VCSA 6.5.0 vm using win32 GUI.
After installation completed, I want to replace machine SSL certificates using HTML5 webgui.
I imported Terena CA and then replaced machine SSL cert (key & crt). After rebooting, all works fine.
Deleting this VM, and creating a new VCSA 6.7 VM using win32 GUI and exactly the same paramaters as before (fqdn, ip, ...). DNS entries are ok (FQDN to IP & IP to FQDN).
After installation completed, I imported the same certificate as before. After rebooting, when I try to access the web GUI, I've got the following error :
503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x00007f3890084700] _serverNamespace = / action = Allow _pipeName =/var/run/vmware/vpxd-webserver-pipe)
Trying to replace de certificate from CLI using certificate-manager :
Updated 34 service(s)
Status : 70% Completed [stopping services...]
Status : 85% Completed [starting services...]
Error while starting services, please see service-control log for more details
Status : 0% Completed [Operation failed, performing automatic rollback]
Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
Performing rollback of Machine SSL Cert...
Get site nameus : 0% Completed [Rollback Machine SSL Cert...]
This is the /var/log/vmware/vmcad/certificate-manager.log log :
2019-12-06T13:19:16.509Z INFO certificate-manager None
2019-12-06T13:19:26.519Z INFO certificate-manager Running command :- service-control --start --all
2019-12-06T13:19:26.519Z INFO certificate-manager please see service-control.log for service status
Service-control failed. Error: Failed to start services in profile ALL. RC=2, stderr=Failed to start vpxd services. Error: Service crashed while starting
2019-12-06T13:25:38.27Z ERROR certificate-manager None
This is the vpxd.log :
--> [context]zKq7AVECAAAAAGC34QANdnB4ZAAA4AArbGlidm1hY29yZS5zbwAAWCUbAP6dGACeQCIAaXEiABtFIgDTSSIAOaIjAHFvIwA6ciMAnVYrAdRzAGxpYnB0aHJlYWQuc28uMAAC3Y4ObGliYy5zby42AA==[/context]
2019-12-06T13:23:09.269Z error vpxd[59800] [Originator@6876 sub=AuthzStorageProvider] [AuthzStorageProvider::CreateAuthzMgr] Failed to connect to IS: <N5Vmomi5Fault17HostCommunication9ExceptionE(Fault cause: vmodl.fault.HostCommunication
--> )
--> [context]zKq7AVECAAAAAGC34QASdnB4ZAAA4AArbGlidm1hY29yZS5zbwAAWCUbAP6dGAHu8VN2cHhkAAHu1VoBzsNjATdPoAGuOKACwO0BbGliYXV0aHpjbGllbnQuc28AAmkGAgLijQICxIUCAb3XngE6CVQBimhUARnGUgOQBQJsaWJjLnNvLjYAAaW+Ug==[/context]>
2019-12-06T13:23:09.270Z info vpxd[59800] [Originator@6876 sub=AuthzStorageProvider] [AuthzStorageProvider::CreateAuthzMgr] Retry for this error: attempt count 29
2019-12-06T13:23:12.314Z warning vpxd[59800] [Originator@6876 sub=VpxdAuthClient] [ConnectAndLogin] Failed to loginBySamlToken: N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
--> PeerThumbprint: 6B:B6:1F:29:7C:01:E8:65:09:A1:49:C2:46:71:BC:54:11:FB:7F:A8
--> ExpectedThumbprint:
--> ExpectedPeerName: localhost
--> The remote host certificate has these problems:
-->
--> * Host name does not match the subject name(s) in certificate.)
I don't know why ExpectedPeerName is searching for localhost, I always used fqdn and real ip during process and DNS is correctly resolving IP address & FQDN.
Either using webgui or cli for replacing the machine certificate, vpxd doesn't launch after.
Are there new prerequisites for installing a custom SSL certificate since 6.7.0 ?