Closed VedaNiks closed 1 year ago
kunal-pmj
commented
1 year ago you need to add the complete chain. Make sure you have Root CA, Intermediate CA(s) and the issuing cert.
The certificates you are adding using the api do not complete the chain.
VedaNiks
commented
1 year ago Hello @kunal-pmj, Thank you for you response. I've tried to import the complete chain but failed with same error. Can you please provide me some guidance? I've tried below things:
1] I am fetching the certificate from the online depot VM and trying to import it:
def get_ssl_cert(address, port=443):
server_address = (address, port)
# Retrieve the server certificate in PEM format
cert = ssl.get_server_certificate(server_address)
return cert
def import_ssl_cert_into_vcenter():
cert = get_ssl_cert('online-depot-vm-ip')
cert_chain = cert.encode(encoding='utf-8').decode('unicode_escape').split(',')
x509_cert_chain = X509CertChain(cert_chain=cert_chain)
trusted_root_chains = TrustedRootChains(stub_config)
cert_chain_spec = trusted_root_chains.CreateSpec(cert_chain=x509_cert_chain)
chain_id = trusted_root_chains.create(cert_chain_spec)
Here as per you comment, the import is failing because I am adding only leaf cert and not the complete chain. So, I have tried below: I got the certificate in PEM format which had ROOT, INTERMEDIATE and LEAF certificate.
i] I tried to import this certificate using below code:
def import_full_certificate():
file_path = 'path-to-certificate'
with open(file_path, "r") as my_cert_file:
cert_pem = my_cert_file.read()
cert_chain = cert_pem.encode(encoding='utf-8').decode('unicode_escape').split(',')
x509_cert_chain = X509CertChain(cert_chain=cert_chain)
cert_chain = TrustedRootChains.CreateSpec(cert_chain=x509_cert_chain)
print('The alias of the certificate chain successfully imported into vCenter listed below ')
print(vsphere_client.vcenter.certificate_management.vcenter.TrustedRootChains.create(cert_chain))
This failed in same error.
Certificate bearing subject CN=fqdn-of-online-depot-machine,OU=IT,O=NGE,L=Chicago,ST=Illinois,C=US is not a valid CA certificate. Please retry with a valid certificate chain],
ii] I tried to import the certificates in below sequence ROOT > INTERMEDIATE > LEAF :
def divide_and_import_certificate():
file_path = 'path-to-certificate'
certs = pem.parse_file(file_path) # using pem module
str_cert_list = []
for pem_certificates in certs:
str_cert_list.append(str(pem_certificates))
# after splitting root cert was last
for str_cert in reversed(str_cert_list):
cert_chain = str_cert.encode(encoding='utf-8').decode('unicode_escape').split(',')
x509_cert_chain = X509CertChain(cert_chain=cert_chain)
cert_chain = TrustedRootChains.CreateSpec(cert_chain=x509_cert_chain)
print(vsphere_client.vcenter.certificate_management.vcenter.TrustedRootChains.create(cert_chain))In this case ROOT and INTERMEDIATE certificate was successfully imported but it failed with same error in case of LEAF certificate.
I am not sure what I am doing wrong. Can you please guide me? Is this possible that since the CA is internal we have to do some additional steps? I've downloaded [full chain using openssl command] some SSL certificates from sites like www.nvidia.com, www.hp.com and tried to import them but failed.
kunal-pmj
commented
1 year ago Kindly verify if you are missing some intermediate certificate.
There are online tools available which decode your SSL certificate to check if you are missing an intermediate certificate(s).
Also check if the PEM format can be converted to X509. If the certificates are valid they should get converted.
VedaNiks
commented
1 year ago Hi @kunal-pmj, I have checked that certificate chain is complete using this https://tools.keycdn.com/ssl.
I am attaching a certificate I generated by creating a local root CA and intermediate CA. I've tested it on the above site. Can you please check and let me know why I can't import this certificate? cert.zip
Also, can you verify that cert import is necessary before creating a online depot in vLCM?
Thanks in advance!
kunal-pmj
commented
1 year ago @VedaNiks
The extension "keyUsage": must have the "Certificate Sign" for all the certs in the chain
You have it only for the CA :
"keyUsage": "Digital Signature, Certificate Sign, CRL Sign"
You can see it in the https://tools.keycdn.com/ssl as well with your certs.
kunal-pmj
commented
1 year ago Intermediate or selfsigned rooted, they must be valid CA certs else will be rejected. Key Encipherment is not the usage of a CA cert its an enduser cert usage and should not and can not be aded to Trusted Roots
Describe the bug
I am creating a online depot on vLCM using this API. This call fails if the URL for the depot has HTTPS in it because of certificate trust issues.
To solve that, I am using the code from samples/vsphere/vcenter/certificatemanagement/trusted_root_chains_create.py to import the certificate into vCenter Server.
This works fine for a self-signed certificate and depot is created successfully. The problem occurs in case of CA certificate. I am not able to import a CA certificate.
Are there certain requirements the CA certificate needs to fulfil? What can I do to solve this issue? I've tried using vSphere Client UI to import the certificate but encountered the same error. I see below error in
/var/log/vmware/certificatemanagementafter calling the API:Reproduction steps
Error occurred while adding trusted root certificates: com.vmware.vapi.std.errors.Error, create trusted root chain failed : Certificate bearing subject CN=fqdn-of-online-depot-machine, OU=IT,O=NGE,L=Chicago,ST=Illinois,C=US is not a valid CA certificate. Please retry with a valid certificate chain.Expected behavior
The CA certificate should get imported similar to self signed SSL certificate.
Additional context
No response