今天登陆vspher web-client时候,报错如下:
Failed to connect to VMware Lookup Service https://vc-test.cebbank.com:7444/lookupservice/sdk - SSL certificate verification failed.
放狗搜了下和自己测了下,根据问题类型有如下两种解决方案,我先说下如何去获取错误的详细信息,然后再给大家分别上两个解决办法。
1、获取错误日志
VSphere服务器进入%TEMP%路径,详细错误日志在vm_ssoreg.log和vminst.log中,您的机器可能看不到这个日志,没关系的。我把我的日志信息列在下面
[2016-08-22 10:58:13,758 main ERROR com.vmware.vim.install.impl.LookupServiceAccess] com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched
[2016-08-22 10:58:13,760 main DEBUG com.vmware.vim.install.impl.LookupServiceAccess]
com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched
at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:224)
at com.vmware.vim.vmomi.client.http.impl.HttpExchange.run(HttpExchange.java:131)
at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingImpl.send(HttpProtocolBindingImpl.java:98)
at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.sendCall(MethodInvocationHandlerImpl.java:533)
at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.executeCall(MethodInvocationHandlerImpl.java:514)
at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.completeCall(MethodInvocationHandlerImpl.java:302)
at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invokeOperation(MethodInvocationHandlerImpl.java:272)
at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invoke(MethodInvocationHandlerImpl.java:169)
at com.sun.proxy.$Proxy22.retrieveServiceContent(Unknown Source)
at com.vmware.vim.install.impl.LookupServiceAccess.createLookupService(LookupServiceAccess.java:98)
at com.vmware.vim.install.impl.LookupServiceAccess.<init>(LookupServiceAccess.java:56)
at com.vmware.vim.install.impl.RegistrationProviderImpl.<init>(RegistrationProviderImpl.java:55)
at com.vmware.vim.install.RegistrationProviderFactory.getRegistrationProvider(RegistrationProviderFactory.java:143)
at com.vmware.vim.install.RegistrationProviderFactory.getRegistrationProvider(RegistrationProviderFactory.java:60)
at com.vmware.vim.install.cli.commands.CommandArgumentsParser.createServiceProvider(CommandArgumentsParser.java:241)
at com.vmware.vim.install.cli.commands.CommandArgumentsParser.parseCommand(CommandArgumentsParser.java:101)
at com.vmware.vim.install.cli.commands.CommandFactory.createValidateLsCommand(CommandFactory.java:36)
at com.vmware.vim.install.cli.RegTool.process(RegTool.java:91)
at com.vmware.vim.install.cli.RegTool.main(RegTool.java:38)
Caused by: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:267)
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:230)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:108)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)
at com.vmware.vim.vmomi.client.http.impl.HttpExchange.run(HttpExchange.java:111)
... 17 more
Caused by: javax.net.ssl.SSLException: hostname in certificate didn‘t match: <vc-test.cebbank.com> != <"ssoserver> OR <vc-test.cloud.cebbank.com>
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
at org.apache.http.conn.ssl.StrictHostnameVerifier.verify(StrictHostnameVerifier.java:61)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:149)
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:253)
... 26 more
根据上面红色部分字体,可以判断我这台机器是由于修改过hosts文件的注册造成的,那修改办法有两个
2、 解决方案一:重新配置SSL certificate
针对vSCA(VMware vCenter Server Appliance),集成在一台机器上的情况,直接在页面修改配置,并重启即可,直接参考Failed to connect to VMware Lookup Service – SSL Certificate Verification Failed。
如果懒得蹦过去看,步骤我也抄过来了,如下:
- Log in the VCSA itself via https://<vcsa-name>:5480
- Navigate to the ‘Admin’ tab
- Turn ‘Certificate regeneration enabled‘ to ‘yes‘ by using the ‘Toggle certificate setting‘ button
- Reboot the vCenter Server Appliance
这是网上最常见的解决办法,但我的机器这不是vSCA啊。想必大家在生产环境也都不是这么用的吧,那怎么办呢?
3、 解决方案二:向其他 vCenter Single Sign-On 实例注册 vSphere Web Client
要向其他 vCenter Single Sign-On Lookup Service 注册 vSphere Web Client,请执行以下操作:
- 打开命令提示符。
- 将目录更改为:
C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts注意: 如果 vSphere Web Client 的安装位置不是默认
C:\Program Files\,请调整该路径。 - 运行
client-repoint.bat命令向其他 vCenter Single Sign-On 和 Lookup Service 注册 vSphere Web Client:client-repoint.bat lookup_service_url "single_sign_on_admin_user" "single_sign_on_admin_password"使用以下示例作为模型:
对于 vCenter Server 5.1:
client-repoint.bat https://machinename.corp.com:7444/lookupservice/sdk "[email protected]" "[email protected]"对于 vCenter Server 5.5:
client-repoint.bat https://machinename.corp.com:7444/lookupservice/sdk "[email protected]" "[email protected]"在本例中,7444 是 vCenter Single Sign-On 的默认 HTTPS 端口号。 如果您使用自定义端口,请将示例中的端口号替换为您使用的端口号。 需要使用引号对 Single Sign-On 用户名和密码中的特殊字符进行转义。上面红线处的主机域名修改是造成问题的原因,请注意填写安装时配置的域名或者IP
现在,已向 vCenter Single Sign-On and Lookup Service 注册了 vSphere Web Client。亲测有效
结论,安装时需要慎重填写FQDN,并配置各服务,做好规划
参考或复制自:
重新指向和重新注册 VMware vCenter Server 5.1/5.5 及组件 (2083219)