VCSA 6.0U3 SSL woes

This post was originally published on this site

Hello everyone,

 

Yesterday I started having trouble signing in to the VCSA 6.0U3 Flash (“flex”) client, seemingly out of nowhere. Yes, I would like to upgrade to 6.5, but we have no support contract for two years…

 

The Windows “fat” client lets me log in, and if I SSH in and restart all services, my FIRST login succeeds. After that if I attempt to login again or from another machine I get the blue screen and spinning clock indefinitely.

 

The most promising error messages I can are from websso.log:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

 

ssoAdmin:

com.vmware.identity.admin.server.ims.ServerConfigurationException: Failed to get issuers certificates

 

and STS:

2020-08-11T17:16:09.961-04:00 | ERROR | opId-8d5efa48-949b-47ed-8c13-5dd383b74896 | vdcs-background-executor-4 | StsTrustChainImpl          | Error retrieving trusted root certificates.

java.lang.NullPointerException

    at com.vmware.provider.VecsKeyStoreEngine.engineAliases(VecsKeyStoreEngine.java:71)
    at java.security.KeyStore.aliases(Unknown Source)
    at com.vmware.vcde.common.services.sso.impl.StsTrustChainImpl.refresh(StsTrustChainImpl.java:56)
    at com.vmware.vcde.common.services.sso.impl.StsTrustChainImpl.access$0(StsTrustChainImpl.java:51)
    at com.vmware.vcde.common.services.sso.impl.StsTrustChainImpl$1.run(StsTrustChainImpl.java:46)

I haven’t made any modifications to the certs, and things were working prior to yesterday afternoon. All the certs I can find are valid through 2024 or 2025. I’ve poked through the management interface, through the PSC, manually verified the certs on the VCSA with openssl. My suspicion is that some cert expired but I can’t find any that are expired.

 

I did reboot the VCSA, and when it came back up it wiped out eam.properties so I did rebuild that and have verified that vmware-eam is running, and that the vapi endpoint health check returns okay.

 

This is so strange because, once I rebooted and/or restart all services, the first login succeeds in the web interface, but I only get one. The fat client works. The PSC lets me log in.

 

Has anyone seen this before?

 

Thank you,

Don

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.