Do you have Platform Service Controller (PSC) or vCenter configured and replaced the self signed machine certificates? Are you looking to deploy NSX Manager 6.2? If so you must consider the following.
NSX Manager can be configured to use Lookup Service and you can provide SSO credentials to register NSX Management Service as a solution user, to configure this the certificate installed on your PSC must be trusted. If the self signed certificates have been replaced with Enterprise Certificates this process will fail to verify. This is because the PSC / vCenter are configured to use the new certificate but the corresponding services such as Lookup Service have not. NSX Manager will report the below error
NSX Management Service operation failed.(Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service, com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified)
VMware have covered this in detail here
The following will illustrate how to fix this error. My environment I am using the vCenter appliance in embedded mode configured as a subordinate CA using an internal Enterprise CA – Windows 2012 CA. When I try to configure Lookup Service on the NSX Manager I get the below error
First you need to check the certificates are different, enable SSH on your PSC (or vCenter appliance when using embedded). Run the following
shell.set –enabled true
/usr/lib/vmidentity/tools/scripts/lstool.py list –url https://localhost/lookupservice/sdk –no-check-cert –ep-type com.vmware.cis.cs.identity.sso 2>/dev/null
Record the details after SSL trust in a notepad. Now run
echo | openssl s_client -connect localhost:443
Record the details after Server Certificate. Notice these are different. You now need to find the certificate in the ssltrust field of the ArrayOfLookupServiceRegistrationInfo using Managed Objects Browser (MOB). First backup the old certificate to do this connect to the PSC using WinSCP and create a folder called Cert. Now connect to the MOB browser but browsing to the below and login with the SSO administrator account
In the value box delete all the keys so you are only left with <filterCriteria></FilterCriteria> then select Invoke Method
Do a search on the below
The box directly above this will have the Base64 of the old cert. Copy this out to a notepad and call it old.crt. You need to add the —–Begin Certificate—– and —–End Certificate—– with a carriage return
Using WinSCP copy this to the /Cert folder previously created. Thats the old one backed up.
Now we need to find the fingerprint of the old cert. Connect back to the PSC (vCenter if using embedded mode) and run the following
shell.set –enabled true
openssl x509 -in /Cert/old.crt -noout -sha1 -fingerprint
Save the fingerprint to notepad for later
Now run to get an export of the latest cert
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store MACHINE_SSL_CERT –alias __MACHINE_CERT –output /certificate/new_machine.crt
Now run the following – change the URL and Fingerprint details to match yours
python ls_update_certs.py –url https://lab-vc01.vjenner.com/lookupservice/sdk –fingerprint EC:C3:98:b9:1C:EA:CD:03:5B:4F:B8:7A:80:93:2B:6B:EC:80:9A:09–certfile /Cert/new_machine.crt –user Administrator@vsphere.local –password Password
This takes a few minutes to complete, once complete you should see the services updated successfully
Thats it! You can now configure Lookup Service on your NSX Manager.
Note – this script must be run every time the machine certificates are replaced on a embedded appliance / external PSC or vCenter with external PSC. That means if your certs are set to 2 years remember to do this part when renewing.