VMware vSphere

 View Only

  • 1.  Unable to authenticate on vCenter Server Appliance 7

    Posted Aug 26, 2023 12:18 PM

    I am unable to authenticate on my VCSA error 500 "An error occurred while fetching identity providers". VMware KB says to upgrade to 7.0.03C.

    Using SSH, i failed to upgrade RPM packages.

    Lot of services failed to start (service-control --status):

    observability vlcm vmcam vmonapi vmware-certificateauthority vmware-certificatemanagement vmware-content-library vmware-hvc vmware-imagebuilder vmware-netdumper vmware-perfcharts vmware-pod vmware-rbd-watchdog vmware-sca vmware-sps vmware-stsd vmware-topologysvc vmware-updatemgr vmware-vapi-endpoint vmware-vcha vmware-vdtc vmware-vpxd vmware-vpxd-svcs vmware-vsan-health vsphere-ui vstats vtsdb wcp

    No service log help me to find out why, but /var/log/firstbool/vsphere-ui-prestart.log helps me: certificate verify failed: certificate has expired.

    Using /usr/lib/vmware-vmafd/bin/vecs-cli, I found that machine and WCP certificates (autogenerated during the first install) expires after 2 years and my VM have 2 years.

    I used certificate-manager tool option 5 to regenerate all certificates. All certificates are (csr and key files) in a folder, but certificate-manager refuses to import them, cause i am unable to provide (last question "Please provide the signing certificate of the Solution User Certificates") a certificate which can verify all these certificates, created by the tool itself.

    I hope i'm near to the goal but i need extra help. Thank you



  • 2.  RE: Unable to authenticate on vCenter Server Appliance 7

    Posted Aug 26, 2023 12:23 PM
    • If Machine SSL & Solution User Certificates are expired, use Option 8 (Reset Certificates) to replace the Certificates

    Please see the following KB:

    https://kb.vmware.com/s/article/2097936

    Regards,

    Sachchidanand



  • 3.  RE: Unable to authenticate on vCenter Server Appliance 7

    Posted Aug 29, 2023 09:15 PM

    What if this is not a certificate issue? 

    do you have screenshot with the error? 



  • 4.  RE: Unable to authenticate on vCenter Server Appliance 7

    Broadcom Employee
    Posted Aug 30, 2023 02:17 AM

    If you VC services are down ; upgrading will not help as it will fail even. 

    FOR CERTS EXPIRY CHECK BELOW AND FIX IT . Make sure all required services are up first before upgrade . 

    Find PNID : /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost ( this needs to be used in the certificate-manager tool)

    1. STS expiry check and replacement: https://kb.vmware.com/s/article/79248 ( This is not managed by certificate-manager tool)

    2. The following one-liner can determine other expired certificates for the vCenter Server Appliance:
    for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
    Follow KB- https://kb.vmware.com/s/article/2112283 to replace other certificates.
    But certificate-manager tool doesn't replace the data-encipherment and SMS_self_signed certs.

    3. To replace an expired data-encipherment certificate follow below KB:
    For vCSA 7 : https://kb.vmware.com/s/article/88548
    For vCSA 8 : https://kb.vmware.com/s/article/87506

    4. To replace SMS certs ; only way is to delete the store and recreate . Check https://kb.vmware.com/s/article/2120105

    5. (Optional) Use lsdoctor (https://kb.vmware.com/s/article/80469 ) to check for SSL trust issues and fix if any .



  • 5.  RE: Unable to authenticate on vCenter Server Appliance 7

    Posted Sep 19, 2023 01:31 PM

    Please reset all the certificates using step 8 in the certificate manager. and check the vpxd logs