Menu

Virtual Geek

Tales from real IT system administrators world and non-production environment

Add a Trusted Root Certificate to the Certificate Store VMware Photon OS

I was designing and testing a VMware vCenter server update Repository web server solution in my home lab, I built a new web server, but when accessing it on vCenter server with curl command it was giving below error. When I checked the same url in browser, it was working fine, because it was https ssl certificate and it was not trusted certificate this was causing the error. 

curl https://webserver/vc_update_repo
curl: (60) SSL certificate problem: unable to get local issuer certificate 
more details here: https://curl.haxx.se/docs/sslcertys.html

curl failed to verify the legitimacy of the server and therefore could not 
establish a secure connection to it. To learn more about this situation and 
how to fix it, please visit the web page mentioned above.

Enable Access to the VCSA Bash shell or Appliance Shell

Vmware vsphere vcenter appliance shell curl https error 60 ssl certificate problem unable to get local issuer certificate curl failed iis microsoft web server legitimacy ssl certificate.png

To diagnose further the issue I verified and tried to download Root CA (certificate authority certificate) from browser clicking lock icon button and view certificate, and save certificate to file.

microsoft vmware certificate autority vc_update_repo vcenter update repository certificate view certificate view ssl certificate vmware vsphere vcenter update curl error.png

There might be scenario save ssl certificate to file option may be restricated, that time you can directly download CA certificate and certificate chain from Microsoft Active Directory Certificate Services url (certsrv), (Since it was a lab and I had configured one CA server to generate SSL certificates), make sure you download Base 64 certificate chain.

Microsoft active directory certificate services root certificate authority request a ssl certificate download certificate chain or CRL der base 64 vmware vsphere vcenter appliance upgrade curl.png

Copy downloaded certificate to vCenter server using SCP tools. ie free winSCP. since latest VMware vCenter appliance run on VMware photon os (linux), run below command to update trusted root certificate authority list.

cat yourrootCAcertificate.cer >> /etc/pki/tls/certs/ca-bundle.crt

Vmware Vsphere esxi vcenter appliance rootcert ssl certificate pki tls cert ca-bundle.crt web server iis windows microsoft web server.png

Just showing the details of my lab root ca ssl certificate contents. next when I rerun curl command again with the https url it works fine.

cat yourrootCAcertificate.cer
curl https://webserver/vc_update_repo

cat tmp root cert ssl certificate vmware vsphere vcenter appliance photon os linux curl https root certificate authority microsoft windows IIS server internet information services.png

Useful Article
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate
Managing ESXi SSL certificate properties from vCenter server
Forward vCenter Server Appliance logs to syslog server
Patching the vCenter Server Appliance VCSA
Install and Configure VMware UMDS on Linux

Go Back

Comment

Blog Search

Page Views

6106905

Follow me on Blogarama