Recently I worked with one of my customers on vSphere infrastructure with expired signed certificates. Some vSphere components didn't work such as vCenter Server but fortunately all VMs were running fine.
In this post I would like to share some experience and problems that we faced when we wanted to replace expired certificates on vSphere 5.5 U2 environment. I used a procedure described in VMware KB and to be honest the procedure is so-so - there are some missed things.
When we prepared a new and valid SSL Certificates for all vCenter Server 5.5 components such as Web Client, Inventory Service etc. and replaced it as described in the above mentioned VMware KB, we faced the following errors:
Problems with VMware VirtualCenter Management Webservices
After replacing certificates, the VMware VirtualCenter Management Webservices did not work. In the logs (catalina and wrapper) I found the following errors:
at java.lang.Thread.run(Unknown Source)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 19 more
Caused by: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
and wrapper log:
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"]
INFO | jvm 1 | 2015/09/29 13:50:36 | java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
INFO | jvm 1 | 2015/09/29 13:50:36 | at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
INFO | jvm 1 | 2015/09/29 13:50:36 | at java.security.KeyStore.load(Unknown Source)
I recollected that in the mentioned VMware KB, I had to enter password for the vCenter certificate key but I didn't use this password later. Now I know why... As you could see, the password used in the VMware KB is testpassword. I used another one and it was a mistake because this password is already preconfigured in the configurations files! After some researching I found out that there are two files where PFX (certificate password) is kept!
The first file is catalina.properties and there are two important lines:
bio-vmssl.keyFile.name=C:/ProgramData/VMware/VMware VirtualCenter/SSL/rui.pfx
bio-vmssl.SSL.password=PFX PASSWORD
The second file is instance.cfg (located by default in C:\ProgramData\VMware\VMware VirtualCenter\):
keystorePassword=PFX PASSWORD
So to solve the problem, you need to use the default password (testpassword) or edit above files with your password.
Problem with VMware Web Client
My customer already could use vSphere Client to connect to the vCenter Server. However, the Web Client and inventory service started and terminated after few seconds. I found the following error in the Event Viewer:
The vSphere Web Client service terminated with service-specific error Incorrect function.....
Event ID 7024
I found a VMware KB but it was not a solution. After some researching and checking logs, we realized that uninstall process did not delete old certificates:
[ERROR] system-artifacts org.apache.coyote.http11.Http11Protocol Failed to initialize end point associated with ProtocolHandler ["http-bio-9443"] java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(Unknown Source)
What we did were: uninstalling again the Web Client, changing a name of Web Client folder to "vSphere Web Client.old" and installing the Web Client again. It solved the problem. However I haven't replaced the Web Client certificate again because we postponed it for later. I will update this post if I face any issues with it.
Problem with configuring VMware HA on ESXi hosts with new certificates
We replaced certificates on ESXi hosts as well and we faced the next problem with configuring VMware HA. After replacing certificates, ESXi hosts were in "disconnected status" so we connected it to the vCenter. However when I tried to configure VMware HA, we got the following error:
vSphere HA Cannot be configured on this host because its SSL thumbprint has not been verified
We solved the problem by removing and re-adding the hosts to the cluster.
Conclusion
There is a joke... if you need to replace VMware component certificates in vSphere 5.x, please open a case in VMware support in advanced... 😉 Fortunately, VMware did some changes in vSphere 6.0 🙂