Firefox does not trusts vCenter signed CA certificates

For a vCenter Server environment I replaced the default SSL certificates with CA signed SSL certificates. The Platform Service Controller (PSC) is configured as VMCA subordinate CA. When opening the vSphere Web/HTML5 Client, Firefox displays the following warning: Your connection is not secure.

This is because Firefox does not trust root certificates in the Windows certificate store. Since Firefox 49 a new option is included which allows Firefox to trust root certificates. This option is not enabled by default.

The following steps illustrate how to configure Firefox to use the Windows certificate store:

  • Open Firefox
  • In the address bar type: about:config
  • Accept the warning
  • Navigate to Preference name: security.enterprise_roots.enabled 
  • Set the value to:  true

Firefox now trust the root certificates in the Windows certificate store.

 

Deploy an OVA/OVF fails with certificate error

When trying to deploy an OVA/OVF with the vSphere Web Client the following error is displayed:

The operation failed for an undetermined reason. Typically this problem occurs due to certificates that the browser does not trust. If you are using self-signed or custom certificates, open the URL below in a new browser tab and accept the certificate, then retry the operation.

This error occurs with vSphere 6.5 because the certificates are not trusted. The self-signed certificates are used and are not added to the trusted root certification store.

To deploy a OVF/OVA to the vCenter Server appliance trusted root CA must be added to the certificate store. The following steps will work with Chrome and Internet Explorer:

  • Open the vCenter URL: https://vcenter-FQDN

  • Select the “Download trusted root CA certificates” and save the archive(ZIP) file
  • Extract the archive (ZIP)

  • Start – Run – MMC
  • File – Add Snap-ins – Certificates – Computer Account – Local  computer
  • Open Trusted Root Certification Authories – Certificates
  • Import the two *.crt certificates

  • Close the browser and re-open the browser and navigate to the vCenter Server using the FQDN.
  • Now the URL is marked as secure (green lock) and you’re able to import the OVA/OVF

 

Update the vCenter Server Appliance (VCSA) without internet

In this blog post I highlight how to patch or update a single vCenter Server Appliance (VCSA) without having an internet connection. The patch will be stored on a temporarily web server that is installed on a Windows machine. In this example we update the vCenter Server Appliance version from 6.0 Update 2 to 6.0 Update 3 build 5050593.

Here are the main steps:

1. On a Windows machine install a temporarily web server to host the VCSA patch.  As web server “Posh Server” (link) will be used. This is a small PowerShell web server. Download the Posh Server and install it on a Windows box. After the installation (use the default settings) open PowerShell (As Administrator) and execute the following commands:

Set-Executionpolicy unrestricted

Type “y” to confirm. Go to the “C:\Program Files\PoSHServer” folder.

Import-Module PoSHServer
Start-PoshServer -Port 9000

The Posh web server is started and listens on port 9000

2. Download the patch (zip file)  from the VMware website.

Extract the patch on the Windows machine in the web server folder under “C:\Program Files\PoSHServer\webroot\http\update“. Besides the patch file(ZIP), two folders are extracted (manifest and package-pool).

2. Before upgrading make sure you have a backup copy of the VCSA!

3. Open the vCenter Server Appliance web interface (https://VSCA-IP:5480). Go to the update tab and click settings, select use “Specified Repository”. Enter as location of the web server and update folder. In this example we use:

http://IP-web-server:9000/update

Click OK, check updates and use the “Check Repository” option. (tip: make sure to disable the proxy configuration in the VCSA)

The update displayed in available updates. Install the update.

When the update is finished, click OK and reboot the appliance.

5. After the reboot check the version and build version of the new patch.