You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have a script that automatically renews my vcenter certificates. Must have been after some update but I noticed my certificates are no longer being accepted my vcenter. They renew just fine its just that I receive this error message:
Exception caught for provided certificate - /root/.acme.sh/vcenter.internal.domainname.net_ecc/vcenter.internal.domainname.net.cer. Error: Certificate uses unsupported signature algorithm - ecdsa-with-SHA384. Only SHA-2 RSA algorithms are supported on the vCenter Server.
Status : 0% Completed [Operation failed, performing automatic rollback]
I've been looking into how I can change this and from what I gather, renewals use the original key type and length that was previously used.
Somewhere I found that setting the keylength to 2048 forces signing with RSA. When I did that and used --force to renew, the certificates got rejected with the same message.
I changed the default CA back to Let's Encrypt (from ZeroSSL) and tried again, but got the same error message.
I then read somewhere that it might not use what I specify on the commandline when there are previously saved renewals with conf found, so I removed the mydomain.net/ directories (actually, I moved them ;) ) and forced again. It recreated everything, and still the certificates are being rejected with the same error message.
OpenSSL shows me the following:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
....
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Dec 27 14:21:45 2023 GMT
Not After : Mar 26 14:21:44 2024 GMT
Subject: CN = vcenter.internal.domainname.net
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
I don't know but that looks like SHA-2 RSA to me, with 2048 keylength? But then further down I see this (no idea if it has any impact):
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I have a script that automatically renews my vcenter certificates. Must have been after some update but I noticed my certificates are no longer being accepted my vcenter. They renew just fine its just that I receive this error message:
I've been looking into how I can change this and from what I gather, renewals use the original key type and length that was previously used.
Somewhere I found that setting the keylength to 2048 forces signing with RSA. When I did that and used --force to renew, the certificates got rejected with the same message.
I changed the default CA back to Let's Encrypt (from ZeroSSL) and tried again, but got the same error message.
I then read somewhere that it might not use what I specify on the commandline when there are previously saved renewals with conf found, so I removed the mydomain.net/ directories (actually, I moved them ;) ) and forced again. It recreated everything, and still the certificates are being rejected with the same error message.
OpenSSL shows me the following:
I don't know but that looks like SHA-2 RSA to me, with 2048 keylength? But then further down I see this (no idea if it has any impact):
So its all
X509v3
. When I check this page:https://core.vmware.com/vmware-vsphere-8-default-ssltls-cipher-suites#section1
It doesn't list
x509v3
in the first collumn. But I am going out on a limb, maybe its something else entirely I don't know.If someone can help me out here I would greatly appreciate it!
Beta Was this translation helpful? Give feedback.
All reactions