vCenter

 View Only
  • 1.  Issuing CA certificate expired

    Posted Nov 15, 2022 09:05 AM

    Hello everyone,

    We have replaced the __MACHINE certificate with one created with our local CA some time ago. Since the __MACHINE cert is made with our issuing CA, I have imported the root CA and issuing CA as trusted root certificates. Unfortunately the certificate for our issuing CA has recently expired. The __MACHINE cert has been replaced after a renewal of the issuing certificate. 

    • And here the problem begins. So far I have noticed these errors:
      The daily backup started to fail after the issuing cert expired. It gets as far as starting to transfer data to the SFTP server, but stops after 8-12mb. 
    • I cannot change DRS config. It throws an error: Error loading data. The error message states among other tings "Unable to authenticate user". 
    • For a few days after the cert expired I could log into the VAMI. But now, this also fails with the messge "Exception in invoking authentication handler [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)"

    The expired issuing certificate is still listed in the Certificate Management page in VAMI. I have tried to replace the issuing certificate, but that option is not available in VCSA, only "View". Adding the new issuing certificate results in an error message stating that the certificate is already registered. 

    lsdoctor finds no problems. 

    I'm starting to suspect that I need to recreate all certificates on the vcenter server with the Certificate Manager Utility.
    I can live with getting the SSL warning when connecting to VCSA/VAMI so that is no real concern, but witch option in the tool is the correct one?

    • 4- Regenerate a New VMCA Root Certificate and Replace All Certificates
    • 8- Reset All Certificates.

    They seem to be a bit overlapping.

    What will happen to the connected ESXi hosts during this ordeal? Will they stay connected or do I have to reconnect them?

    Hope someone can shed some light on this problem.

    Regards



  • 2.  RE: Issuing CA certificate expired
    Best Answer

    Posted Nov 15, 2022 07:37 PM

    Hi,

    You have to recreate all certificates with option n°8 ( 8- Reset All Certificates.).

    What will happen to the connected ESXi hosts during this ordeal? nothing will happen.

    they stay connected or do I have to reconnect them? they stay connected.

    I hope the STS certificate hasn't expired either because it's another procedure.

    Don't worry, I've done this many times, nothing happens to Esxi hosts and configuration.

     

    regards,

    Alex_Romeo



  • 3.  RE: Issuing CA certificate expired

    Posted Nov 16, 2022 07:19 AM

    Hi,

    Shortly after I posted this question a vmware support replied they wanted to schedule a zoom meeting yesterday. 

    She first tried to recreate all certificates (option 8 ) but this failed since the STS cert apparently had some problems  We then recreated the STS certificate with the fixsts.sh (https://kb.vmware.com/s/article/76719). Then we ran the certificate tool again with option 8 and it completed. (https://kb.vmware.com/s/article/2097936?lang=en_US)

    The backups are running again and I can log into management console. And DRS is also configurable again. 
    The expired issuing ca cert is still in the certificate store, so I cannot replace the __MACHINE SSL cert with one from our CA before it is cleared out. But this is a minor nuisance compared the the problems I had. 

    Regards,

    Helge