FBBR – Troubleshooting – SMB – From 7.0U3f/8.x
December 4, 2023
File-Based Backup and Restore – Steps to Restore
December 6, 2023
FBBR – Troubleshooting – SMB – From 7.0U3f/8.x
December 4, 2023
File-Based Backup and Restore – Steps to Restore
December 6, 2023

FBBR – Strict Certificate Validation

https://kb.vmware.com/s/article/75156

By default, vCenter does not validate the certificates. The backup would still initiate if the certificate is a self-signed or the CA is not available on the TRUSTED_ROOTS Store.
With the Strict Certificate validation enabled, the backup would start only when the Backup server certificate is available as br_servercert.crt at /etc/applmgmt/appliance/

Enable Strict Certificate validation

Connect to the vCenter Server Appliance using SSH with root credentials

Backup the /etc/applmgmt/appliance/appliance.conf file.

# cp /etc/applmgmt/appliance/appliance.conf /etc/applmgmt/appliance/appliance.conf.backup

Edit the /etc/applmgmt/appliance/appliance.conf file:

# vi /etc/applmgmt/appliance/appliance.conf

Change

  "validateCerts": false,

To

  "validateCerts": true,

Restart the applmgmt Service

service-control --stop applmgmt
service-control --start applmgmt

Add the CA cert or SSH host key thumb print of the target server depending on the transfer method:

• For FTPS or HTTPS transfers, copy the CA cert to /etc/applmgmt/appliance/br_servercert.crt on the VCSA.
• For SCP based backup restore, copy the ssh host key thumb print of the backup server to /etc/applmgmt/appliance/br_known_hosts on the VCSA.
• Entries should be in: IP,FQDN algorithm Key format. You may have both IP and FQDN on the same line or have two line entries one for IP and one for FQDN.

Start the Backup.

If the server certificate is not available, the error would be as Failed to validate certificate

applmgmt.log

2021-08-03T10:39:47.980 [18014]ERROR:plugins.FtpStorageIOLib:ftps cmd failed. RC: 77, Err: curl: (77) error setting certificate verify locations:
  CAfile: /etc/applmgmt/appliance/br_servercert.crt
  CApath: none
, Cmd: ['/usr/bin/curl', '--fail', '-u', 'administrator:****', '--connect-timeout', '10', '--ssl-reqd', '--cacert', '/etc/applmgmt/appliance/br_servercert.crt', '--noproxy', '*', '--silent', '--show-error', '--list-only', 'ftp://192.168.7.52/VMware/']
2021-08-03T10:39:47.992 [18014]ERROR:vmware.appliance.vapi.impl:pint.Error('com.vmware.applmgmt.backup.plugin.cert_validation_err', 'Failed to validate certificate', **{'args': ['Plugin error occurred. ErrCode: 77, Args: ()']})

If the certificate has issues, the error would be as Backup server certificate validation failed

applmgmt.log

2021-08-28T15:34:50.471 [49275]ERROR:plugins.FtpStorageIOLib:ftps cmd failed. RC: 60, Err: curl: (60) SSL: certificate subject name 'WIN-AFRL8D4GU32' does not match target host name '192.168.7.50'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
, Cmd: ['/usr/bin/curl', '--fail', '-u', 'administrator:****', '--connect-timeout', '10', '--ssl-reqd', '--cacert', '/etc/applmgmt/appliance/br_servercert.crt', '--noproxy', '*', '--silent', '--show-error', '--list-only', 'ftp://192.168.7.50/VMware/']
2021-08-28T15:34:50.484 [49275]ERROR:vmware.appliance.vapi.impl:pint.Error('com.vmware.applmgmt.backup.plugin.peer_cert_validate_err', 'Backup server certificate validation failed.', **{'args': ['Plugin error occurred. ErrCode: 8, Args: ()']})

The backup would start when the certificate validation is successful.

In the Series:

Related posts

January 8, 2024

Exporting and viewing LDIF from vCenter using SSH / JXplorer

Read more
December 9, 2023

SSH Key based authentication for vCenter using Putty

Read more
December 8, 2023

SSH Key based authentication for vCenter using Openssh

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *