Recover vSphere infrastructure when signed certificates are expired.

By | October 17, 2015

Recently I worked with one of my customers on vSphere infrastructure with expired signed certificates. Some vSphere components didn't work such as vCenter Server but fortunately all VMs were running fine.

In this post I would like to share some experience and problems that we faced when we wanted to replace expired certificates on vSphere 5.5 U2 environment. I used a procedure described in VMware KB and to be honest the procedure is so-so - there are some missed things.

When we prepared a new and valid SSL Certificates for all vCenter Server 5.5 components such as Web Client, Inventory Service etc. and replaced it as described in the above mentioned VMware KB, we faced the following errors:

Problems with VMware VirtualCenter Management Webservices

After replacing certificates, the VMware VirtualCenter Management Webservices did not work. In the  logs (catalina and wrapper) I found the following errors:

at java.lang.Thread.run(Unknown Source)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 19 more
Caused by: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)

and wrapper log:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"]
INFO   | jvm 1    | 2015/09/29 13:50:36 | java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
INFO   | jvm 1    | 2015/09/29 13:50:36 |     at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
INFO   | jvm 1    | 2015/09/29 13:50:36 |     at java.security.KeyStore.load(Unknown Source)

I recollected that in the mentioned VMware KB, I had to enter password for the vCenter certificate key but I didn't use this password later. Now I know why... As you could see, the password used in the VMware KB is testpassword. I used another one and it was a mistake because this password is already preconfigured in the configurations files! After some researching I found out that there are two files where PFX (certificate password) is kept!

The first file is catalina.properties and there are two important lines:

bio-vmssl.keyFile.name=C:/ProgramData/VMware/VMware VirtualCenter/SSL/rui.pfx
bio-vmssl.SSL.password=PFX PASSWORD

The second file is instance.cfg (located by default in C:\ProgramData\VMware\VMware VirtualCenter\):

keystorePassword=PFX PASSWORD

So to solve the problem, you need to use the default password (testpassword) or edit above files with your password.

Problem with VMware Web Client

My customer already could use vSphere Client to connect to the vCenter Server. However, the Web Client and inventory service started and terminated after few seconds. I found the following error in the Event Viewer:

The vSphere Web Client service terminated with service-specific error Incorrect function.....
Event ID 7024

I found a VMware KB but it was not a solution.  After some researching and checking logs, we realized that uninstall process did not delete old certificates:

[ERROR] system-artifacts              org.apache.coyote.http11.Http11Protocol                           Failed to initialize end point associated with ProtocolHandler ["http-bio-9443"] java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
at java.security.KeyStore.load(Unknown Source)

What we did were: uninstalling again the Web Client, changing a name of Web Client folder to "vSphere Web Client.old" and installing the Web Client again. It solved the problem. However I haven't replaced the Web Client certificate again because we postponed it for later. I will update this post if I face any issues with it.

Problem with configuring VMware HA on ESXi hosts with new certificates

We replaced certificates on ESXi hosts as well and we faced the next problem with configuring VMware HA. After replacing certificates, ESXi hosts were in "disconnected status" so we connected it to the vCenter. However when I tried to configure VMware HA, we got the following error:

vSphere HA Cannot be configured on this host because its SSL thumbprint has not been verified

We solved the problem by removing and re-adding the hosts to the cluster.

Conclusion

There is a joke... if you need to replace VMware component certificates in vSphere 5.x, please open a case in VMware support in advanced... 😉 Fortunately, VMware did some changes in vSphere 6.0 🙂

Author: Mariusz

Architect (~ 15 years experience based on passion...) with strong background as a System Administrator and Engineer. Focused on Data Center Solutions: Virtualization/Cloud Computing and Storage/Backup Systems. Currently living in Poland.