I have a lab scenario that I'm trying to work through and ultimately move it to a production environment.
I've deployed the vCSA 5.5 and joined it to my Active Directory. This Active Directory has a suffix of example.com, and from the perspective of the domain controllers and perhaps the appliance itself, the FQDN of the vCSA is vc-01.example.com. I want to bring over the historic FQDN of my vCenter server, which has a different name and suffix (e.g. vcenter.company.com).
Users go to this https://vcenter.company.com:9443 alias and it works fine. They don't need to be aware of the "real" hostname of vc-01.example.com. Now I am trying to import signed SSL certificates for vcenter.company.com into my SSO, inventory, log browser, etc. Following the instructions in KB 2057223, I generate the certs and then actually replace the default self-signed certs for SSO. This succeds. But when I try to unregister the inventory service from the SSO with the command:
02-inventoryservice --mode uninstall --ls-server https://vcenter.company.com:7444/lookupservice/sdk
It fails with:
> Using Lookup Service: https ://vcenter.company.com:7444/lookupservice/sdk (on the current machine).
> Intializing registration provider...
> Getting SSL certificates for https://vcenter.company.com:7444/lookupservice/sdk
> com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certficate assertion not verified and thumbprint not matched
>Return code is: SslHandshakeFailed 1
Further, when i try to login to vCenter now following a reboot of the appliance, I get:
Failed to connect to VMware Lookup Service https://192.168.0.10:7444/lookupservice/sdk - SSL certificate verification failed.
I notice on the appliance that /etc/vmware-sso/ls_url.txt contains the contents of "https://192.168.0.10:7444/lookupservice/sdk". When I update that to use vcenter.company.com:7444, I now get a different error with my logon attempt:
Cannot connect to vCenter Single Sign-On server https://192.168.0.10:7444/sts/STSService/vsphere.local. The SSL certificate cannot be verified.
I guess I can regenerate the certs on the appliance, but I'm wondering if anyone has a use case like this or seen these issues before and come up with a solution. I've been going through the KB articles but no luck so far...thanks.