Sorry for the long post, but I wanted to be as detailed as possible.
I must be doing something terribly wrong with this because I can´t see where´s the problem.
I created a Microsoft CA and created the VMware Template following KB 2062108 (VMware KB: Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x ).
With this, I was able to successfully change the certificate for the following applications:
- vSphere 5.5 (vCenter and ESXi);
- Horizon View (Connection Server, Security Server and Composer).
Now with vCAC:
- vCAC 6.1;
- Using vCenter SSO;
I followed the "vCloud Automation Center 6 Certificates A to Z" article (vCloud Automation Center 6 Certificates A to Z | VMware Consulting Blog - VMware Blogs) for creating and replacing the vCAC App certificate.
The change was apparently successful since:
- When I access https://<vcac_FQDN>/vcac it shows the correct certificate;
- My browsers don´t complain about it.
Unfortunetly, I was sadly mistaken :-(
When I wen to configure the SSO into vCAC, it would show me a message saying that the vCenter certificate was not trusted. I didn´t actually bother much since the configuration completed anyway.
The main issue was next. Once I tried accessing the portal using administrator@vsphere.local, it would throw me a message saying:
"Login failed. Please contact your System Administrator and report error code <CODE>" (the code changes for every attempt)
Back into vCAC admin, I see the "shell-ui-app" service with a "FAILED" status and a quick look into catalina.out (using the code provided above) pointed me to this:
vcac: [component="cafe:shell" priority="ERROR" thread="tomcat-http--17" tenant="vsphere.local"] com.vmware.vcac.authentication.http.LoginErrorEntryPoint.commence:82 - Exception with error code rO4WY+ug:
org.springframework.security.authentication.BadCredentialsException: Can not authenticate the user, no credentials were provided
Okay, that was a weird message. But what actually called more my attention was something written above, which I noticed was repeating itself all the time:
Untrusted certificate with serial number: [<big_number>] and thumbprint: [<big_hexa>]
Untrusted certificate with serial number: [<another_big_number>] and thumbprint: [<another_big_hexa>]
I checked and those are exactly the certificate I assigned to vCAC and the CA Root certificate.
Thinking that the issue was caused because the vCAC App won´t trust my CA Root Certificate, I tried forcing it a little. I found 2 keystores:
- /etc/vcac/vcac.keystore
- /usr/java/jre-vmware/lib/security/cacerts
I ran a "keytool -list -v -keystore" into both of them and noticed that in fact my CA Certificate wasn´t inside.
Therefore, I did a "keytool -import -trustcacerts -file <CA_certificate> -alias <My_CA_Alias> -keystore".
Another check confirmed that now the certificate was inside the keystores. Rebooted the appliance.
And so far the certificates remain untrusted. Really, what am I doing wrong? :-(