vCloud Director SSL fingerprint mismatch detected and wildcard certificate configuration

During a vCloud Director (vCD) version 5.5 implementation the other week we started out with using self signed certificates for the vCD cells and a company external (purchased) wildcard certificate for the load balancer facing the internet.
I have used this setup (not wildcard certificates) quite a few times for e.g. vCD version 1.5 & 5.1 and basically the customer makes the decision about what certificates to use. I can only advice my customers to use non self signed certificates.
However, since vCD 5.5  the firewall and vCD cells certificates must match. If they don’t you will get a SSL fingerprint mismatch error when trying to upload a file to vCD (to the transfer area).

Screen Shot 2014-05-05 at 14.02.33

Screen Shot 2014-05-05 at 13.13.18

To avoid this you have to configure the same certificate (the purchased wildcard one in my case) for the vCD cell/cells and the load balancer.

Below are the steps i took to configure the vCD cells to use the purchased certificate. I used the keytool binary found in the directory /usr/java/jre1.6.0_31/bin/ in the virtual machine (VM) running CentOS where the vCD cell is installed.

1. Get the private key from the certificate.pfx file:

  • openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
  • Copy the private key from the certificate.cer file to a new file called private.key

2. Create pfx including alias for http and console proxy.

  • openssl pkcs12 -export -in certificate.cer -inkey private.key -name http -passout pass:passwd -out http.pfx
  • openssl pkcs12 -export -in certificate.cer -inkey private.eky -name consoleproxy -passout pass:passwd -out consoleproxy.pfx

3. Import the two above created pfx files

  • ./keytool -importkeystore -srckeystore /opt/certificates/http.pfx -srcstoretype PKCS12 -destkeystore /opt/keystore/cloudcerts.ks -deststoretype JCEKS -deststorepass passwd -srcalias http -destalias http -srcstorepass passwd
  • ./keytool -importkeystore -srckeystore /opt/certificates/consoleproxy.pfx -srcstoretype PKCS12 -destkeystore /opt/keystore/cloudcerts.ks -deststoretype JCEKS -deststorepass password -srcalias consoleproxy -destalias consoleproxy -srcstorepass password

4. Import intermediate certificate to keystore.

  • ./keytool -importcert -alias intermediate -file /opt/certificaates/intermediate.crt -storetype JCEKS -keystore /opt/keystore/cloudcerts.ks -storepass passwd

5. Import root certificate to keystore.

  • /keytool -importcert -alias root -file /opt/certificates/RootCA.crt -storetype JCEKS -keystore /opt/keystore/cloudcerts.ks -storepass passwd

6. Copy the keystone /opt/keystore/cloudcerts.ks to the second vCD cell

7. Activate the new certificate on both vCD cells.

  • service vmware-vcd stop
  • /opt/vmware/vcloud-director/bin/configure -> point to the cloudcerts.ks file -> used the password passwd
  • Start the vCD cell
  • Verify the vCD cell starts ok by tailing the cell log.
    • tail -f /opt/vmware/vcloud-director/logs/cell.log

You can verify the keystoore by running the following command.

  • ./keytool -list -keystore /opt/keystore/cloudcerts.ks -storetype JCEKS -storepass passwd

When completed you can successfully upload file to vCD.

Screen Shot 2014-05-05 at 13.26.13

1 ping

Comments have been disabled.