Symptoms

 

  • Connection Server unable to accept vCenter thumbprint with an error "There was an error identifying the validity of the server"
  • Unable to edit desktop pool with VC error.
  • vCenter status shows red in View admin dashboard
  • Unable to verify vCenter certificate.


Log Snippet from Connection server :

2019-03-06T08:28:14.843-06:00 DEBUG (0FC0-184C) <VirtualCenterDriver-8785064c-ad09-4db8-9b98-fd9696610b53> [CertMatchingTrustManager] invalid certificate (and no trusted thumbprint) for
vcenterfqdn.com:443 InvalidCertificateException[reasons:notTrusted; subject:'C=US, CN=vcenterfqdn.com' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: , ChainReasons: partialChain, noTrust']

2019-03-06T08:28:14.844-06:00 DEBUG (0FC0-184C) <VirtualCenterDriver-8785064c-ad09-4db8-9b98-fd9696610b53> [ServiceConnection25] Problem connecting to VirtualCenter at https://vcenterfqdn.com:443/sdkcom.vmware.vdi.logger.Logger.debug(Logger.java:44)
javax.xml.ws.WebServiceException: Could not send Message.
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:150)
at com.sun.proxy.$Proxy98.retrieveServiceContent(Unknown Source)
at com.vmware.vdi.vcsupport25.ServiceConnection25.a(SourceFile:522)
at com.vmware.vdi.vcsupport25.ServiceConnection25.<init>(SourceFile:348)
at com.vmware.vdi.vcsupport25.ServiceConnection25.createInstanceOrFail(SourceFile:309)
at com.vmware.vdi.vcsupport25.ServiceConnection25.createInstance(SourceFile:279)
at com.vmware.vdi.desktopcontroller.VirtualCenterDriver.d(SourceFile:6486)
at com.vmware.vdi.desktopcontroller.VirtualCenterDriver.run(SourceFile:7046)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://vcenterfqdn.com:443/sdk: com.vmware.vdi.ssl.NoTrustedThumbprintException: InvalidCertificateException[reasons:notTrusted; subject:'C=US, CN=vcenterfqdn.com' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: , ChainReasons: partialChain, noTrust']
at sun.reflect.GeneratedConstructorAccessor151.newInstance(Unknown Source)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1390)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1374)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:658)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:63)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:308)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:535)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:444)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:345)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:298)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:139)
... 8 more
Caused by: javax.net.ssl.SSLHandshakeException: com.vmware.vdi.ssl.NoTrustedThumbprintException: InvalidCertificateException[reasons:notTrusted; subject:'C=US, CN=vcenterfqdn.com' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: , ChainReasons: partialChain, noTrust']
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream0(HttpURLConnection.java:1334)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1309)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:259)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:277)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1333)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1293)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:309)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1346)
... 18 more
Caused by: com.vmware.vdi.ssl.NoTrustedThumbprintException: InvalidCertificateException[reasons:notTrusted; subject:'C=US, CN=vcenterfqdn.com' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: , ChainReasons: partialChain, noTrust']
at com.vmware.vdi.ssl.CertMatchingTrustManager.a(SourceFile:152)
at com.vmware.vdi.ssl.CertMatchingTrustManager.checkServerTrusted(SourceFile:61)
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:985)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
... 37 more
Caused by: InvalidCertificateException[reasons:notTrusted; subject:'C=US, CN=vcenterfqdn.com' message:'ValidateCertificateChain Result: FAIL, EndEntityReasons: , ChainReasons: partialChain, noTrust']
at com.vmware.vdi.ssl.CertMatchingTrustManager.validateCertificateChain(SourceFile:245)
at com.vmware.vdi.ssl.CertMatchingTrustManager.a(SourceFile:100)
... 40 more
2019-03-06T08:28:14.844-06:00 ERROR (0FC0-184C) <VirtualCenterDriver-8785064c-ad09-4db8-9b98-fd9696610b53> [ServiceConnection25] Problem connecting to VirtualCenter at https://vcenterfqdn.com:443/sdk
2019-03-06T08:28:14.844-06:00 WARN  (0FC0-184C) <VirtualCenterDriver-8785064c-ad09-4db8-9b98-fd9696610b53> [VirtualCenterDriver] Unable to establish a connection with VC <https://vcenterfqdn.com:443/sdk> using VIM 2.5 binding

 Cause
If vCenter certificate is added to trusted root of one or more connection server  but not on all.
Only Root CA of vcenter is added to trusted store of Connection Server but not the complete chain
 Impact / Risks
Provisioning and new or existing session  will not be available during connection server reboot
 Resolution
1. Import vCenter certificate along with root certificate to Connection Server trusted root folder in all the connection server
2. Reboot the connection servers as per KB below
Restart order of the View environment