VMware vSphere

 View Only
Back to discussions
Expand all | Collapse all

After updating to the latest version, an expired vCenter certificate caused the error

  • 1.  After updating to the latest version, an expired vCenter certificate caused the error

    Posted Sep 17, 2024 11:18 AM

    Hey,

        I would like to get some help from you or at least some hits, I know this topic is a bit tricky, most vSphere infrastructure administrators have gone through this troubleshooting, but now...My goal was to upgrade to a newer version of vcenter. After a backup and snapshot, I followed the ussual route via VAMI, from where I performed the stage and install. After a successful update I got a warning on the vcenter logging page that it would take 20 min to load all the services back etc.

        Now after logging in, I found that most of the virtual machines are experiencing the error "This virtual machine failed to become vSphere HA Protected and HA may not attempt to restart it after a failure." (This virtual machine failed to become vSphere HA protected and HA may not attempt to restart it after a failure). Trying to figure out why, I checked all the clusters where esxi is located, most of them were trying to elect a new primary host that was elected within the HA cluster, the other hosts were just trying to retry. So I reverted everything back to find out why.

    I checked the validity of all these certificates via cmd "for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo '[*] Store :' $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie 'Alias' -ie 'Not After';done;" and it was valid for another 2 years.

    • SSL machine certificate
    • Trusted root certificate
    • Web client certificate

    but at the bottom of that list was an expiring vcenter certificate (unfortunately a few weeks expired). I checked the vxpd log and it also reports x509 fail to read cert. I also checked VDT's vCenter in-depth diagnostics tool to make sure that was the only problem. 

    Now that we are using our intermediate CA, so now should I just go to VMCA and select option 2 "Replace the VMCA root certificate with our own CA signing certificate and replace all certificates", generate a new csr, sign it with our CA and that's it?

    From the KB "If your trusted root or SSL certificates have expired, it is recommended that you re-commission the system using the default VMware CA certificates and then reuse your own certificate, see the section Replacing a vSphere 6.x /7.x Machine SSL Certificate with a Self-Signed CA Certificate."

    Btw I have 4 hosts in a separate cluster, these 4 are not certified and using the default certificate provided by vcenter (vmca@vmware.com, CN= xxx etc) they were without problems (still part of HA cluster).

    thanks_x