Upload Files to VMware Datastore Fails

KB ID 0001777

Problem

Whilst attempting to upload an ISO into a VMware datastore this morning, I got this error;

The operation failed for an undetermined reason. Typically this problem occurs due to certificates that the browser does not trust. If you are using self-signed or custom certificates, open the URL below in a new browser tab and accept the certificate, then retry the operation.

Solution

I’ve encountered this exact problem once before here: VMware: ISO Upload or Deploy OVA Fails ‘Undetermined Reason’ It happens because you do not trust the CA that signed the certificate that vSphere is using. Go back to the initial logon page and click ‘Download Trusted Root CA Certificates‘. Note: if you have a stupid browser that tries to open the file (I’m looking at you Microsoft Edge!) Then choose ‘Save target as’ and save the zip file containing the root CA Certificates.

Open the Zip file and choose the Windows or Mac version and locate the file that has the CRT extension, (the other file is a certificate revocation list, and you don’t need this). Double click the certificate and choose ‘Install Certificate‘.

Select ‘Local Machine‘.

Select the option to choose which store to use and put it in ‘Trusted Root Certification Authorities‘  > Then complete the import wizard, (and ensure it says import successful). Then restart your browser, log back into vSphere and try again.

Related Articles, References, Credits, or External Links

NA

Exchange / Outlook – Security Alert – “The security certificate was issued by a company you have not chosen to trust”

KB ID 0000454

Problem

Out of the box Exchange 2007 and 2010 comes with a “Self Signed” digital certificate. That’s OK for getting you up and running but your Outlook clients may start to see the error below.

Error:
Security Alert
Information you exchange with this site cannot be viewed or changed by others. However, there is a problem with the sites security certificate.
The security certificate was issued by a company you have chosen not to trust. View the Certificate to determine whether you want to trust the certifying authority.

Solution

You have a number of options to stop this error.

Option 1 (This is WHAT YOU SHOULD DO!)

You should purchase a certificate signed by a trusted certification authority, these used to cost a fortune, but if you shop around you can pick them up very cheaply.

Obtaining, and Installing an Exchange Certificate.

Option 2 (Free, and handy if you don’t have a lot of clients)

It still amazes me that people with pay out for a new server, and Exchange, but then refuse to buy a certificate? But if your reading this then that might well be you. You can choose to trust the certificate that’s being presented to you. You carry out this procedure on each Outlook client. If you have a lot of Outlook clients then skip to options 3 and 4).

1. First, start up Outlook and get the error message on the screen.

2. Select “View Certificate” > Install Certificate > Next.

3.Selct “Place all certificates in the following store” > Browse > Select “Trusted Root Certification Authority > OK.

4. Finish.

5. Select yes to accept the certificate import> Restart Outlook.

Option 3 (Free, and handy if you have a lot of clients)

Install Certificates with Group Policy GPO

Option 4

Install your own certification authority, and sign your own Exchange certificate. Great if you already have a CA, though it’s a mess about just to solve this problem.

 

Related Articles, References, Credits, or External Links

NA

Cisco PRSM – Replace the Certificate Using Microsoft Certificate Services

KB ID 0001023 

Problem

Cisco PRSM gives you the ability to import certificates into it, but like other Linux distros does not give you the tools to generate the actual certificate request. The documentation tells you to use OpenSSL to this. I was just about to fire up a CentOS box when I remembered I did something similar for VMware 5.5 not so long ago, would the same procedure work here? Yes it did, and it’s a lot easier than growing a ginger ponytail, donning sandals and firing up Linux.

Solution

The following procedure was carried out on Windows Server 2012 R2. I want my certificate to have a common name of prsm.petenetlive.com (change your configs and commands accordingly).

1. Download and install the following.

Microsoft Visual C++ 2008 Redistributable Package (x86) and Shining Light Productions installer for OpenSSL x86 version 0.98r (or later)

2. Accept all the defaults and it should install to C:OpenSSL-Win32 go there, and in the bin directory make a backup of the openssl.cfg file.

2. Open the original openssl.cfg file and delete everything out of it, then paste in the following text, replace the values in red with your own, and save the file.

[box]

[ req ]
default_bits = 2048
default_keyfile = prsm.petenetlive.com.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:PRSM, IP:123.123.123.110, DNS:prsm.petenetlive.com

[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = Teesside
localityName = Middlesbrough
0.organizationName = PeteNetLive
organizationalUnitName = Technical Services
commonName = prsm.petenetlive.com

[/box]

3. Open an administrative command window, issue the following three commands;

[box]

cd C:OpenSSL-Win32Bin

openssl req -new -nodes -out prsm.petenetlive.com.csr -keyout prsm.petenetlive.com-orig.key -config openssl.cfg

openssl rsa -in prsm.petenetlive.com-orig.key -out prsm.petenetlive.com.key

[/box]

Don’t worry if it says it cant read the openssl.cnf file

4. If you look in C:OpenSSL-Win32bin directory you will see the CSR (certificate request) has been generated.

5. Open the .csr file with notepad and copy all the text, (this is a request in PEM format). This is what you will give to your CA to request the certificate, copy that to the clipboard.

6. Connect to your Certificate Authority web enrollment portal > Request a certificate.

7. Advanced certificate request.

8. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

9. Paste in the PEM text you copied to the clipboard > Set the certificate template to ‘Web Server’ > Submit.

Note: Your CA may have a different template for web server certificates, if so use that one. If you don’t see web server either it’s not been published, or your user does not have rights to the certificate template.

10. Choose ‘Base 64 encoded’ > Download > Save the cert in the directory you were using earlier (you will see why in a minute) > I give it the same name as the common name on the certificate so I saved it as prsm.petenetlive.com.cer

11. Here it is, but there is still a problem with it, PRSM needs the certificate in x509 format, (it isn’t). But OpenSSL-Win32 can convert it for us.

How to Convert a Windows .cer file to an x509 .crt file

12. Open and administrative command window and issue the following two commands;

[box]

cd C:OpenSSL-Win32bin
openssl x509 -in prsm.petenetlive.com.cer -out prsm.petenetlive.com.crt

[/box]

13. Now it looks better, for PRSM we need this file AND we need the .key file, (not the one that ends in xxx-orig.key!) In the example below I’ve kept everything neat so the other file i need is prsm.petenetlive.com.key, (third one down).

14. Connect to PRSM > Administration > Server Certificates > Browse and select both files.

15. Install and Restart Server.

16. Restart.

17. Refresh your web session and you should now be using the correct certificate.

Related Articles, References, Credits, or External Links

NA