While installing plugin: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match

Hey gang,

I have 3 vCenters in linked mode (2 VCSA, 1 Windows) - all running 6.0.0 Build 2997665.  After installing the plugin on all 3 vCenters and logging in to each of them the plugin is only present on one of them (a VCSA).  I checked the virgo logs on the Windows vCenter and I see the following:

[2016-09-16T16:11:06.823-04:00] [INFO ] vc-extensionmanager-pool-80  70000053 100005 200001 com.vmware.vise.vim.extension.VcExtensionManager                  Downloading plugin package from https://127.0.0.1/simplivity/simplivity-web-client-9.4.22.zip (no proxy defined)

[2016-09-16T16:11:06.837-04:00] [ERROR] vc-extensionmanager-pool-80  70000053 100005 200001 com.vmware.vise.vim.extension.VcExtensionManager                  Package com.simplivity.web-client was not installed!

Error downloading https://127.0.0.1/simplivity/simplivity-web-client-9.4.22.zip. Make sure that the URL is reachable then logout/login to force another download. javax.net.ssl.SSLHandshakeException: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match

  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

  at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)

  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)

  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)

  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)

  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)

  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:913)

  at sun.security.ssl.Handshaker.process_record(Handshaker.java:849)

  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)

  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)

  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)

  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)

  at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)

  at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

  at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1301)

  at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:468)

  at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:338)

  at com.vmware.vise.util.http.ConnectionManager.connect(ConnectionManager.java:186)

  at com.vmware.vise.util.http.SimpleHttpClient.connect(SimpleHttpClient.java:218)

  at com.vmware.vise.util.http.SimpleHttpClient.executeMethodResponseAsStream(SimpleHttpClient.java:109)

  at com.vmware.vise.vim.extension.VcExtensionManager.writePackageToFile(VcExtensionManager.java:873)

  at com.vmware.vise.vim.extension.VcExtensionManager.downloadPackage(VcExtensionManager.java:820)

  at com.vmware.vise.vim.extension.VcExtensionManager$1.call(VcExtensionManager.java:639)

  at com.vmware.vise.vim.extension.VcExtensionManager$1.call(VcExtensionManager.java:631)

  at java.util.concurrent.FutureTask.run(FutureTask.java:262)

  at com.vmware.vise.util.concurrent.QueuingCachedThreadPool$QueueProcessor.run(QueuingCachedThreadPool.java:866)

  at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)

  at java.util.concurrent.FutureTask.run(FutureTask.java:262)

  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

  at java.lang.Thread.run(Thread.java:745)

Caused by: com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is not trusted and thumbprint doesn't match

  at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager.checkServerTrusted(ThumbprintTrustManager.java:217)

  at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:885)

  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)

  ... 26 common frames omitted

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)

  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)

  at sun.security.validator.Validator.validate(Validator.java:260)

  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)

  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)

  at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:107)

  at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager.checkServerTrusted(ThumbprintTrustManager.java:200)

  ... 28 common frames omitted

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)

  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)

  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)

  ... 34 common frames omitted

Do you have any idea why I might be hitting this? The certificate is self signed and the browser warns me about it but that URL (https://127.0.0.1/simplivity/simplivity-web-client-9.4.22.zip) is perfectly accessible from the browser. I also have another Windows vCenter also running 6.0 with a self signed cert and I can't reproduce this issue.  Please let me know if you have any pointers, much appreciated. Thanks!

(Virgo log attached)

Mike