vCloud Director 5.5.x – Media Upload SSL Thumbprint mismatch with SSL offloading

By Antti Hurme 12/03/2014 No Comments 3 Min Read

VMware quietly changed one thing with the new upload mechanism of vCLoud Director 5.5.x and thus generates and error when trying to upload a media file (ISO Image) or a VM OVA/OVF file. vCD 5.5 checks if the thumbprints and thus generates an error if using SSL offloading on a firewall while leaving self-signed certificates on the vCD server itself. This has been possible to do with earlier versions of vCloud Director (5.1.x and 1.5), but now with the latest versions 5.5 and 5.5.1 it’s a no go. To fix this, you will need to the change the certificates in the keystore to your public certificates, this way the certificate provided by the firewall will match your servers certificate.

Rommel Humarang wrote a good post on how to change your vCD certificates using a public one, and the original article can be found here. This is just a copy & paste of it. Note that you can’t change the aliases the keystore uses, as then the vCD node won’t be able to determine which certificate to use for what.

Edit: VMware vCloud 5.5.1 changelog has a mention of the following fix here (which affected those using the word “cloud” in their url):

  • Uploading a vApp or media file sometimes fails
    Attempting to upload a vApp or media file failed with the error Target SSL fingerprint mismatch detected if the vCloud Director DNS name includes cloud. This issue is resolved in vCloud Director 5.5.1.


1. Convert pfx to pem: openssl pkcs12 -in certificate.pfx -out certificate.cer –nodes

2. Obtain the private key from certificate.cer (cut and paste the private key to a new file, name it wildcard.key)

3. Use the following command to recreate the pfx and set alias (PKCS12 keystore): openssl pkcs12 -export -in certificate.cer -inkey wildcard.key -name http –passout pass:password -out http.pfx

4. Use the same certificate and key to create the consoleproxy pfx (PKCS12 keystore): openssl pkcs12 -export -in certificate.cer -inkey wildcard.key -name consoleproxy -passout pass:password -out consoleproxy.pfx

5. Import the 2 PKCS12 keystore into Java keystore using keytool:

./keytool -importkeystore -srckeystore http.pfx -srcstoretype PKCS12 –destkeystore CERTIFICATES.ks -deststoretype JCEKS -deststorepass password –srcalias http -destalias http -srcstorepass password
./keytool -importkeystore -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -destkeystore CERTIFICATES.ks – deststoretype JCEKS -deststorepass password –srcalias consoleproxy -destalias consoleproxy -srcstorepass password

6. Import the root certificate to the same keystore:
/keytool -importcert -alias root -file DigiCertHighAssuranceEVRootCA.crt -storetype JCEKS -keystore CERTIFICATES.ks -storepass password

7. Import the Intermediate certificate to the same keystore:
./keytool -importcert -alias intermediate -file DigiCertHighAssuranceCA-3.crt -storetype JCEKS -keystore CERTIFICATES.ks -storepass password

8. Verify the CERTIFICATES.ks keystore:
./keytool -list -keystore CERTIFICATES.ks -storetype JCEKS -storepass password

9. Provide the necessary permission:
chown vcloud:vcloud /opt/vmware/vcloud-director/jre/bin/CERTIFICATES.ks

10. Stop the VCD service: service vmware-vcd stop

11. Run the configure command: /opt/vmware/vcloud-director/bin/configure

12. When prompted for the certificate, point to the following:/opt/vmware/vclouddirector/jre/bin/CERTIFICATES.ks

13. When prompted to start the cell, press y and Enter

Written By

Who am I? | Linkedin

View All Articles
Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.