Hello everyone,
We have replaced the __MACHINE certificate with one created with our local CA some time ago. Since the __MACHINE cert is made with our issuing CA, I have imported the root CA and issuing CA as trusted root certificates. Unfortunately the certificate for our issuing CA has recently expired. The __MACHINE cert has been replaced after a renewal of the issuing certificate.
- And here the problem begins. So far I have noticed these errors:
The daily backup started to fail after the issuing cert expired. It gets as far as starting to transfer data to the SFTP server, but stops after 8-12mb. - I cannot change DRS config. It throws an error: Error loading data. The error message states among other tings "Unable to authenticate user".
- For a few days after the cert expired I could log into the VAMI. But now, this also fails with the messge "Exception in invoking authentication handler [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)"
The expired issuing certificate is still listed in the Certificate Management page in VAMI. I have tried to replace the issuing certificate, but that option is not available in VCSA, only "View". Adding the new issuing certificate results in an error message stating that the certificate is already registered.
lsdoctor finds no problems.
I'm starting to suspect that I need to recreate all certificates on the vcenter server with the Certificate Manager Utility.
I can live with getting the SSL warning when connecting to VCSA/VAMI so that is no real concern, but witch option in the tool is the correct one?
- 4- Regenerate a New VMCA Root Certificate and Replace All Certificates
- 8- Reset All Certificates.
They seem to be a bit overlapping.
What will happen to the connected ESXi hosts during this ordeal? Will they stay connected or do I have to reconnect them?
Hope someone can shed some light on this problem.
Regards