Hello all,
I'm trying to install BDE2.2 in a lab environment and I'm running into a error when i tried to enable sso. "Cannot reach SSO Lookup Service. Verify that the URL is correct and the service is running."
vCenter and hosts are 6.0 with last patch.
i have one PSC appliance working as subordinate CA, the root CA is self-signed CA running on windows server 2012r2.
vcenter is also an appliance, and its certificate looks good.
BDE 2.2 vApp installed OK.
vCenter plug-in installed OK.
Lookup service URL I used https://myPSC:443/lookupservice/sdk
I checked log for enable sso: (/opt/serengeti/ssotool/installer.log)
[2015-08-04 16:43:40,634 main DEBUG com.vmware.vim.install.cli.RegTool] $Id: //depot/vicore/vicore-2013/regtool/viregtool/src/main/java/com/vmware/vim/install/cli/RegTool.java#4 $
[2015-08-04 16:43:40,636 main DEBUG com.vmware.vim.install.cli.RegTool] Executing command: storeSsoData -d https://psc01.lab.local:443/lookupservice/sdk -f /opt/serengeti/ssotool/ssoData
[2015-08-04 16:43:40,671 main INFO com.vmware.vim.install.impl.RegistrationProviderImpl] Intializing registration provider...
[2015-08-04 16:43:41,270 main DEBUG com.vmware.vim.install.impl.LookupServiceAccess] Creating VMODL client for LookupService
[2015-08-04 16:43:41,274 main INFO com.vmware.vim.install.impl.CertificateGetter] Getting SSL certificates for https://psc01.lab.local:443/lookupservice/sdk
[2015-08-04 16:43:41,654 main DEBUG com.vmware.vim.install.impl.CertificateGetter] Establishing socket connection to psc01.lab.local/192.168.102.2:443. Timeout is 60000
[2015-08-04 16:43:42,475 main DEBUG com.vmware.vim.install.impl.AdminServiceAccess] Creating client for SSO Admin on address: https://psc01.lab.local/sso-adminserver/sdk/vsphere.local
[2015-08-04 16:43:42,906 main ERROR com.vmware.vim.install.impl.AdminServiceAccess] com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
I ssh to BDE2.2 management server, run:
openssl s_client -connect psc01.lab.local:443 -tls1
I got:
depth=1 C = US, DC = vsphere, DC = local, O = psc01.lab.local, CN = CA
verify error:num=20:unable to get local issuer certificate
verify return:0
| CONNECTED(00000003) | |
| --- | |
| Certificate chain | |
| 0 s:/CN=lab/C=CA/ST=QC/L=XX/O=XX/OU=Lab | |
| i:/C=US/DC=vsphere/DC=local/O=psc01.lab.local/CN=CA | |
| 1 s:/C=US/DC=vsphere/DC=local/O=psc01.lab.local/CN=CA | |
| i:/DC=local/DC=lab/CN=lab-DC-CA |
so just like server certificate chain not verified, looks like BDE management appliance can not found my root CA certificate. now, i have my root CA certificate. my questions are:
1, where should i put this certificate? because i copy it to a folder, run "openssl s_client -connect psc01.lab.local:443 -CAfile /opt/chef-server/embedded/ssl/certs/rootca.crt -tls1" without error, but when i run "EnableSSOAuth" i still got same error.
2, can i replace BDE self-signed certificate with generate a csr and how can i do it?
thanks