I was having the exact same issue and after a little research I was able to come up with a temporary solution for our environment, or at least until our server admins can update the vCenter certificate from 512 bits to 1024 bits. So here’s my story or you can skip to the end for quick instructions.
At first when I would go to “https://vcenteripaddress” I would see this page.
After clicking “Continue to this website (not recommended)” a few times I was still receiving the “Certificate Error: Navigation Blocked” message.
After viewing the certificate in IE we found out it was 512 bits. Based on theMicrosoft Security Advisory (2661254) article,
“Microsoft is announcing the availability of an update to Windows that restricts the use of certificates with RSA keys less than 1024 bits in length. The private keys used in these certificates can be derived and could allow an attacker to duplicate the certificates and use them fraudulently to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.”
Ok, so my vCenter certificate is 512 bits, Microsoft just released update(KB 2661254)which restricts using certificates less than 1024 bits, and my Solarwinds servers are still not able to poll vCenter due to some kind of SSL/TLS secure channel underlying connection being closed! >.< What the heck man! I could try one ofVMware’s solutionsto replace the certificate with one at least 1024 bits or I could use of the resolutions suggested inMicrosoft Security Advisory: Update for minimum certificate key length (KB2661254). It’s like they say when you go take a Microsoft certification exam, although you may know a quicker or faster way to do something, if you want to pass the exam you better to do it the Microsoft way. With all that being said, we had to go the Microsoft route due to vCenter being supported by another group.
Referencing back to theMicrosoft Security Advisory: Update for minimum certificate key length, Microsoft has a temporary solution.
“Microsoft does not recommend customers use certificates less than 1024 bits long. Customers may however need a temporary workaround while a longer term solution is developed to replace RSA certificates with a key length of less than 1024 bits length. In these cases, Microsoft is providing the customers the ability to change the way the update functions.”
Toward the end of the article in section MinRsaPubKeyBitLength, Microsoft provides you with a command to run.
MinRsaPubKeyBitLengthis a DWORD value that defines the minimum allowed RSA key length. By default, this value is not present, and the minimum allowed RSA key length is 1024. You can use certutil to set this value to 512 by running the following command:
certutil -setreg chain\minRSAPubKeyBitLength 512
Note: All certutil commands shown in this article require local Administrator privileges because they are changing the registry. You can ignore the message that reads "The CertSvc service may have to be restarted for changes to take effect." That is not required for these commands because they do not affect the certificate service (CertSvc).
You can revert to blocking keys that have a length of less than1024 bits by removing the value. To do this, run the following certutil command:
certutil -delreg chain\MinRsaPubKeyBitLength
I made this mistake more times than I want to admit but I figured its worth mentioning since it’s what ultimately corrected our problem, twice. We have a total of seven Orion servers with one web console/poller, six additional pollers, and four vCenter servers. When we initially setup everything we had all four vCenter servers being polled from the main web console/poller. After a few weeks of collecting metrics on “the cloud”, two of the vCenter server’s certificates expired just as we were getting ready to show off our new tool. When the certificates expired that's when we noticed the same error quite a few people are having;
“Could Not Poll” and “Error while connecting to VMware device - The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.”
During this time frame, I think about a week total, while the certificate was being renewed, all seven of our Orion servers received the Microsoft update. I’ve now gone from clearing the ssl cache and updating the certificate on the main web console/poller, because that’s the assigned polling engine for all four vCenter servers, and showing off our new software to banging my head against the wall wondering why I can’t get past the “Certificate Error: Navigation Blocked” page.
The temporary solution we used to get past the “Certificate Error: Navigation Blocked” message was to run the following command on THE POLLING ENGINE THAT IS POLLING VCENTER. That’s the key!
certutil -setreg chain\minRSAPubKeyBitLength 512
After we ran the command on our main web console/poller we then launched IE from the web console/poller and went to "https://vcenteripaddress". Once again we were prompted with the exact same message, “Continue to this website (not recommended)”. Now when we clicked on “continue” we were able to see the vSphere welcome page even though IE is still telling us we have a certificate error. Once we were able to view the vSphere welcome page we were able to connect and poll within Orion. Since we already had the vCenter Server being polled via our web console/poller, we simply went into the virtualization settings, checked our vCenter Server and reassigned it the same credentials and tested successfully from there.
A few other thwack posts mentioned you could go to “https://vcenteripaddress/sdk” to test connectivity but when I did I was greeted with my favorite message “Continue to this website (not recommended)”
After clicking “Continue to this website (not recommended)” I received this HTTP 404 message.
Based on the VMware Knowledge Base article(KB:1003218)
"The service at https://localhost/sdk is not an HTML webserver that can serve web pages. The service functions over the SOAP protocol (an .xml based protocol) and only responds to SOAP requests. For example a SOAP protocol request will serve https://vcenteripaddress/sdk/vimService.wsdl page where vimservice.wsdl is the name of the Web Services Description Language (WSDL) webpage file provided by VMware."
I went tohttps://vcenteripaddress/sdk/vimService.wsdlwhich displayed this page.
Quick Reference
We were experiencing the following vCenter polling error:
In addition we were unable to access 1) vCenter’s Welcome page and/or 2) SDK from the polling engine that is unable to connect to the vCenter Server.
2) https://vcenteripaddress/sdk/vimService.wsdl
Note: The polling engine used to poll your vCenter server may be different than the web console you use to access Orion.
Quick Steps
1) We determined the polling engine used to poll the vCenter Server.
2) Logon to the polling engine server and browse to the following sites.
3) Receive the following error message “Certificate Error: Navigation Blocked”
When we clicked “Continue to this website (not recommended)” nothing happened.
1) Ran the following command as a local admin
- certutil -setreg chain\minRSAPubKeyBitLength 512
2) Revisited the sites with success after clicking “Continue to this website (not recommended)”
3) Opened the Orion Web Console and went to the Virtualization Setting page.
- Settings / Virtualization Settings / VMware
4) Check the box b the vCenter that was not connected.
5) Clicked “Assign ESX Credential” and tested credentials successfully.
6) Resume monitoring your vCenter environment.