-
Notifications
You must be signed in to change notification settings - Fork 92
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added information about appliance certificates (#677)
* Added troubleshooting topic about browser cert errors * Adding new topic on Chrome certs * Informed users to validate cert before trusting * Adding info about validating appliance certs * Minor comment from Zach.
- Loading branch information
Showing
8 changed files
with
125 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
# Verify and Trust vSphere Integrated Containers Appliance Certificates | ||
|
||
You can verify the self-signed certificates and trust the certificate authority (CA) for the vSphere Integrated Containers Getting Started page and the vSphere Integrated Containers Management Portal. Trusting the CA prevents browsers from giving security warnings and potentially locking you out of vSphere Integrated Containers for security reasons. | ||
|
||
**Prerequisites** | ||
|
||
To verify and trust the vSphere Integrated Containers appliance certificates, you must obtain the thumbprints and CA files either directly from the appliance, or from the vSphere administrator. For information about how to obtain certificate information, see [Obtain the Thumbprints and CA Files of the vSphere Integrated Containers Appliance Certificates](../vic_vsphere_admin/obtain_appliance_certs.md). | ||
|
||
**Procedure** | ||
|
||
1. In a browser, go to the Getting Started Page at http://<i>vic_appliance_address</i>. | ||
2. View the certificate details in the browser and locate the SHA-1 thumbprint. | ||
|
||
How you view the certificate details depends on the type of browser that you use. | ||
|
||
5. Compare the SHA-1 thumbprint in the browser to the thumbprint that you or the vSphere administrator obtained from the appliance. | ||
|
||
The thumbprints should be the same. | ||
6. Click the link to the vSphere Integrated Containers Management Portal in the Getting Started page, log in, and repeat the procedure to verify the certificate thumbprint for the management portal. | ||
7. When you have verified both of the thumbprints, import the `ca.crt` files into the root certificate store on your local machine. | ||
|
||
How you import a CA file into the root certificate store depends on the operating system of your local machine. | ||
|
||
**Result** | ||
|
||
When you access the Getting Started page and vSphere Integrated Containers Management Portal, your browser shows that the connection is secure. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# Obtain the Thumbprints and CA Files of the vSphere Integrated Containers Appliance Certificates | ||
|
||
If you do not provide custom certificates during deployment, the OVA installer generates certificates for the vSphere Integrated Containers Management Portal and the vSphere Integrated Containers file server. These certificates authenticate connections to the Getting Started page, vSphere Integrated Containers Management Portal, and the vSphere Integrated Containers Engine bundle and vSphere Client plug-in downloads. If you deploy the appliance with automatically generated certificates, the certificates are self-signed by an automatically generated Certificate Authority (CA). | ||
|
||
The vSphere administrator obtains the thumbprints and CA files and passes them to other users who need to access the Getting Started page or the vSphere Integrated Containers Management Portal. | ||
|
||
**Procedure** | ||
|
||
1. Use SSH to connect to the vSphere Integrated Containers appliance as `root` user.<pre>$ ssh root@<i>vic_appliance_address</i></pre> | ||
2. Use `openssl` to view the certificate fingerprint of the file server. | ||
|
||
The file server certificate authenticates access to the Getting Started page, including the downloads for the vSphere Integrated Containers Engine bundle and the vSphere Client plug-in. | ||
|
||
<pre>openssl x509 -in /opt/vmware/fileserver/cert/server.crt -noout -sha1 -fingerprint</pre> | ||
|
||
2. Use `openssl` to view the certificate fingerprint of the management portal. | ||
|
||
The management portal certificate authenticates access to the vSphere Integrated Containers Management Portal. | ||
|
||
<pre>openssl x509 -in /data/admiral/cert/server.crt -noout -sha1 -fingerprint</pre> | ||
|
||
3. Take a note of the two thumbprints and close the SSH session. | ||
4. Use `scp` to copy the CA file for the file server to your local machine. | ||
|
||
<pre>scp root@<i>vic_appliance_address</i>:/opt/vmware/fileserver/cert/ca.crt <i>/path/on/local_machine/folder1</i></pre> | ||
|
||
5. Use `scp` to copy the CA file for the management portal to your local machine. | ||
|
||
<pre>scp root@<i>vic_appliance_address</i>:/data/admiral/cert/ca.crt <i>/path/on/local_machine/folder2</i></pre> | ||
|
||
Be sure to copy the two files to different locations, as they are both named `ca.crt`. | ||
|
||
You can share the thumbprints and CA files with users who need to connect to the vSphere Integrated Containers Management Portal or downloads. For information about how to verify the thumbprints and trust the CAs, see [Verify and Trust vSphere Integrated Containers Appliance Certificates](../vic_cloud_admin/trust_vic_certs.md). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
# Browser Rejects Certificates with `ERR_CERT_INVALID` Error # | ||
|
||
Attempts to connect to vSphere Integrated Containers web interfaces fail with certificate errors in Google Chrome browsers. | ||
|
||
## Problem ## | ||
|
||
When you attempt to access the vSphere Integrated Containers Getting Started page, vSphere Integrated Containers Management Portal, or the administration portal for a virtual container host (VCH), Google Chrome rejects the connection with an `ERR_CERT_INVALID` error and a warning similar to the following: | ||
|
||
<pre><i>Web_address</i> normally uses encryption to protect your information. When Google Chrome tried to connect to <i>web_address</i> this time, the website sent back unusual and incorrect credentials... | ||
|
||
You cannot visit <i>web_address</i> right now because the website sent scrambled credentials that Google Chrome cannot process...</pre> | ||
|
||
This issue only affects Google Chrome. Other browsers do not report certificate errors. | ||
|
||
## Cause ## | ||
|
||
You have already accepted a client certificate or a generated Certificate Authority (CA) for a previous instance of the vSphere Integrated Containers appliance or for a VCH that had the same FQDN or IP address as the new instance. | ||
|
||
## Solution ## | ||
|
||
1. Search the keychain on the system where the browser is running for client certificates or CAs that are issued to the FQDN or IP address of the vSphere Integrated Containers appliance or VCH. | ||
|
||
Auto-generated vSphere Integrated Containers appliance and VCH certificates are issued by **Self-signed by VMware, Inc**. | ||
|
||
2. Delete any client certificates or CAs for older instances of vSphere Integrated Containers appliances or VCHs. | ||
3. Clear the browser history, close, and restart Chrome. | ||
4. Connect to the vSphere Integrated Containers Getting Started page, vSphere Integrated Containers Management Portal, or VCH Administration portal again, verify the certificate, and trust it if it is valid. | ||
|
||
For information about how to verify certificates for the vSphere Integrated Containers appliance, see [Verify and Trust vSphere Integrated Containers Appliance Certificates](../vic_cloud_admin/trust_vic_certs.md). |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
# vSphere Integrated Containers Certificate Reference # | ||
|
||
vSphere Integrated Containers authenticates connections to its various components by using TLS certificates. In some cases, the certificates are always automatically generated and self-signed. In other cases, you have the option of providing custom certificates. | ||
|
||
This topic provides a reference of all of the certificates that vSphere Integrated Containers uses. | ||
|
||
|
||
|**Component**|**Certificate Type**|**Purpose**|**Used By**| | ||
|---|---|---|---| | ||
|vCenter Server or ESXi host|Self-signed or custom|Required for installation of the vSphere Client plug-ins and deployment and management of virtual container hosts (VCHs). See [Obtain the Certificate Thumbprint of vCenter Server or an ESXi Host](obtain_thumbprint.md).|vSphere administrator| | ||
|vSphere Integrated Containers Management Portal|Self-signed or custom|Authenticates connections from browsers to vSphere Integrated Containers Management Portal. See [Obtain the Thumbprints and CA Files of the vSphere Integrated Containers Appliance Certificates](obtain_appliance_certs.md) and [Verify and Trust vSphere Integrated Containers Appliance Certificates](../vic_cloud_admin/trust_vic_certs.md).|Cloud and DevOps admininistrators, developers| | ||
|vSphere Integrated Containers Registry|Self-signed|Authenticates connections to vSphere Integrated Containers Registry instances from Docker clients, replication of projects between registry instances, and registration of additional registry instances in the management portal. See [Configure System Settings](../vic_cloud_admin/configure_system.md).|Cloud and DevOps admininistrators, developers| | ||
|vSphere Integrated Containers file server|Self-signed or custom|Authenticates connections to the Getting Started page, downloads of vSphere Integrated Containers Engine binaries, and the installation of vSphere Client plug-ins. See [Obtain the Thumbprints and CA Files of the vSphere Integrated Containers Appliance Certificates](obtain_appliance_certs.md) and [Verify and Trust vSphere Integrated Containers Appliance Certificates](../vic_cloud_admin/trust_vic_certs.md).|vSphere administrator, Cloud and DevOps admininistrators, developers| | ||
|VCH|None, self-signed, or custom|Authenticates connections from Docker clients to VCHs. See [VCH Deployment Options](vch_installer_options.md#security).|vSphere administrator, Cloud and DevOps admininistrators, developers | | ||
|VCH Administration Portal|None, self-signed, or custom|Authenticates connections from browsers to the administration portals of individual VCHs. See [VCH Administration Portal](access_vicadmin.md).|vSphere administrator| | ||
|
||
|