VMware vSphere

 View Only

  • 1.  Alarm: "Certificate status"

    Posted Jun 06, 2023 06:56 AM
      |   view attached

    Hello,

    we've got 3 vcenter 7 servers that are throwing the warning "Certificate status". Clicking on triggering event shows:

    "Certitifacte OU=mID-....' from MACHINE_SSL_CERT expires on 2023-07-02 07:46:04.000"

    These are the steps I did to resolve this unsuccessfully:

    1. Administration -> Certificate Management

    The __MACHINE_CERT showed this expiration date so I clicked renew.

    After a reload of the GUI, the cert showed a new expiration date of 4th of june 2025.

    Error still persists.

    Google found this KB: https://kb.vmware.com/s/article/82332

    2. SSH into vcenter and printed out the expiration dates of all certificates: sure enough there are some "user solution certificates" with the old expiration date.

    I've ran "/usr/lib/vmware-vmca/bin/certificate-manager" with option 6 "Replace Solution user certificates with VMCA certificates".

    Ran the command again to print the expiration dates ... only 2 expiring remaining!

    Google found this KB: https://kb.vmware.com/s/article/88548

    3. Copied the fix_encipherment_cert.sh and ran it. Voila only 1 expiring certificate remaining and the alarm is still there.

    You can see the current status in the attached picture:

    My questions:

    • I can safely ignore the certificate in the BACKUP_STORE, correct?
    • Is the certificate with the alias "vcenter-1.gluecksburg.lan" (it the FQDN of the vcenter server) used anywhere?
    • How can I replace it?
    • Why does the alarm still say that the MACHINE_CERT_SSL is expiring soon?
    • Why doesnt vcenter do all this stuff themselves?


  • 2.  RE: Alarm: "Certificate status"
    Best Answer

    Posted Jun 06, 2023 07:12 AM

    Hello 

    On checking the cert details :

     

    • I can safely ignore the certificate in the BACKUP_STORE, correct? - Yes but you can use this https://kb.vmware.com/s/article/82560?lang=en_US
    • Is the certificate with the alias "vcenter-1.gluecksburg.lan" (it the FQDN of the vCenter server) used anywhere? - Ideally this store (vcenter-1.gluecksburg.lan) should not be even present . Need to check on this 
    • How can I replace it? - Machine SSL already looks good
    • Why does the alarm still say that the MACHINE_CERT_SSL is expiring soon? - Can you share screenshot of alarm
    • Why doesnt vcenter do all this stuff themselves? - There are public KB available to resolve certificate issues.

      Can you take snapshot on VC and run the https://flings.vmware.com/vsphere-diagnostic-tool#summary vsphere diagnostic tool to get the clear output of whats error .

    Regards

    Harry



  • 3.  RE: Alarm: "Certificate status"

    Posted Jun 06, 2023 08:01 AM

    Hello Harry,

    thanks for your help!

    The steps in https://kb.vmware.com/s/article/82560?lang=en_US were the correct KB!

    Ive ran the script and now the BACKUP_STORES are empty. The alarm is gone too.

    EDIT: the FQDN-store certificate is still there, but seems like it wont get used. The certificate displayed in the browser is a different one with the correct expiration date.

    Have a nice day!