Failed to connect to VMware Lookup Service……SSL certificate verification failed

今天登陆vsphere web-client时候，报错如下：

Failed to connect to VMware Lookup Service https://vc-test.cebbank.com:7444/lookupservice/sdk - SSL certificate verification failed.

放狗搜了下和自己测了下，根据问题类型有如下两种解决方案，我先说下如何去获取错误的详细信息，然后再给大家分别上两个解决办法。

1、获取错误日志

VSphere服务器进入%TEMP%路径，详细错误日志在vm_ssoreg.log和vminst.log中，您的机器可能看不到这个日志，没关系的。我把我的日志信息列在下面

_{[2016-08-22 10:58:13,758 main ERROR com.vmware.vim.install.impl.LookupServiceAccess] com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched}
_{[2016-08-22 10:58:13,760 main DEBUG com.vmware.vim.install.impl.LookupServiceAccess]}
_{com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched}
_{at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setError(ResponseImpl.java:224)}
_{at com.vmware.vim.vmomi.client.http.impl.HttpExchange.run(HttpExchange.java:131)}
_{at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingImpl.send(HttpProtocolBindingImpl.java:98)}
_{at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.sendCall(MethodInvocationHandlerImpl.java:533)}
_{at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.executeCall(MethodInvocationHandlerImpl.java:514)}
_{at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.completeCall(MethodInvocationHandlerImpl.java:302)}
_{at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invokeOperation(MethodInvocationHandlerImpl.java:272)}
_{at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invoke(MethodInvocationHandlerImpl.java:169)}
_{at com.sun.proxy.$Proxy22.retrieveServiceContent(Unknown Source)}
_{at com.vmware.vim.install.impl.LookupServiceAccess.createLookupService(LookupServiceAccess.java:98)}
_{at com.vmware.vim.install.impl.LookupServiceAccess.<init>(LookupServiceAccess.java:56)}
_{at com.vmware.vim.install.impl.RegistrationProviderImpl.<init>(RegistrationProviderImpl.java:55)}
_{at com.vmware.vim.install.RegistrationProviderFactory.getRegistrationProvider(RegistrationProviderFactory.java:143)}
_{at com.vmware.vim.install.RegistrationProviderFactory.getRegistrationProvider(RegistrationProviderFactory.java:60)}
_{at com.vmware.vim.install.cli.commands.CommandArgumentsParser.createServiceProvider(CommandArgumentsParser.java:241)}
_{at com.vmware.vim.install.cli.commands.CommandArgumentsParser.parseCommand(CommandArgumentsParser.java:101)}
_{at com.vmware.vim.install.cli.commands.CommandFactory.createValidateLsCommand(CommandFactory.java:36)}
_{at com.vmware.vim.install.cli.RegTool.process(RegTool.java:91)}
_{at com.vmware.vim.install.cli.RegTool.main(RegTool.java:38)}
_{Caused by: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched}
_{at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:267)}
_{at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:230)}
_{at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)}
_{at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)}
_{at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:147)}
_{at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:108)}
_{at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:415)}
_{at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:641)}
_{at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:576)}
_{at com.vmware.vim.vmomi.client.http.impl.HttpExchange.run(HttpExchange.java:111)}
_{... 17 more}
_{Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <vc-test.cebbank.com> != <"ssoserver> OR <vc-test.cloud.cebbank.com>}
_{at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)}
_{at org.apache.http.conn.ssl.StrictHostnameVerifier.verify(StrictHostnameVerifier.java:61)}
_{at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:149)}
_{at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:253)}
_{... 26 more}

根据上面红色部分字体，可以判断我这台机器是由于修改过hosts文件的注册造成的，那修改办法有两个

2、解决方案一：重新配置SSL certificate

针对vSCA(VMware vCenter Server Appliance)，集成在一台机器上的情况，直接在页面修改配置，并重启即可，直接参考Failed to connect to VMware Lookup Service – SSL Certificate Verification Failed。

如果懒得蹦过去看，步骤我也抄过来了，如下：

Log in the VCSA itself via https://<vcsa-name>:5480
Navigate to the ‘Admin’ tab
Turn ‘Certificate regeneration enabled‘ to ‘yes‘ by using the ‘Toggle certificate setting‘ button
Reboot the vCenter Server Appliance

这是网上最常见的解决办法，但我的机器这不是vSCA啊。想必大家在生产环境也都不是这么用的吧，那怎么办呢？

3、解决方案二：向其他 vCenter Single Sign-On 实例注册 vSphere Web Client

要向其他 vCenter Single Sign-On Lookup Service 注册 vSphere Web Client，请执行以下操作：

打开命令提示符。
将目录更改为：
C:\Program Files\VMware\Infrastructure\vSphereWebClient\scripts

注意：如果 vSphere Web Client 的安装位置不是默认 C:\Program Files\，请调整该路径。
运行 client-repoint.bat 命令向其他 vCenter Single Sign-On 和 Lookup Service 注册 vSphere Web Client：
client-repoint.bat lookup_service_url "single_sign_on_admin_user" "single_sign_on_admin_password"

使用以下示例作为模型：

对于 vCenter Server 5.1：

client-repoint.bat https://machinename.corp.com:7444/lookupservice/sdk "admin@System-Domain" "SSO_pw1@"

对于 vCenter Server 5.5：

client-repoint.bat https://machinename.corp.com:7444/lookupservice/sdk "administrator@vSphere.local" "SSO_pw1@"

在本例中，7444 是 vCenter Single Sign-On 的默认 HTTPS 端口号。如果您使用自定义端口，请将示例中的端口号替换为您使用的端口号。需要使用引号对 Single Sign-On 用户名和密码中的特殊字符进行转义。上面红线处的主机域名修改是造成问题的原因，请注意填写安装时配置的域名或者IP

现在，已向 vCenter Single Sign-On and Lookup Service 注册了 vSphere Web Client。亲测有效

结论，安装时需要慎重填写FQDN，并配置各服务，做好规划

参考或复制自：

重新指向和重新注册 VMware vCenter Server 5.1/5.5 及组件 (2083219)