VMware vSphere

 View Only
  • 1.  Updating STS Certificates when locked out of VCSA

    Posted Dec 06, 2021 04:46 PM

    I have inherited a server running ESXi 6.7.0. ESXi hosts a VM running VMware Photon OS which hosts a VCSA instance. This VCSA instance manages the ESXi host. I think the STS certificates have become invalid. How can I confirm this and how can I fix this? Can I do this fix (https://kb.vmware.com/s/article/76719) in ESXi?

    Background:

    1. When I enter the hostname into a browser without stating the port it takes me to a page with the title, "VMware® vSphere". When I attempt to log in I get the error message "User name and password are required". If I make a typo I get the invalid credentials error which tells me that the credentials are correct otherwise.

    2. When I enter the hostname and specify port 5480 it takes me to a page with the title, "
    VMware Appliance Management". When I attempt to log in I get the error message "Exception in invoking authentication handler [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:719)".

    3. Reading up on the error message it sounds like it is generated by Python when SSL certificates being used are invalid. I think this means that the certificates used for my VCSA instance are no longer valid. 

    4. ESXi has a certificate under Security and Users > Certificates. There is also a message saying, "This host's certificates are being managed by vCenter Server, you cannot configure them using the Host Client." 



  • 2.  RE: Updating STS Certificates when locked out of VCSA

    Posted Dec 06, 2021 04:53 PM

    Expect a moderator to move your thread to the area for vSphere.

     



  • 3.  RE: Updating STS Certificates when locked out of VCSA
    Best Answer

    Posted Dec 07, 2021 04:48 PM

    Okay, so the STS certificates have been updated by the following:

    1. Connect to ESXi host and open a console to VCSA
    2. <F2> > Troubleshooting Mode > Enable SSH
    3. Use PuTTY to connect to VCSA IP port 22
    4. Now follow https://kb.vmware.com/s/article/76719


  • 4.  RE: Updating STS Certificates when locked out of VCSA

    Posted Jun 12, 2025 04:08 AM

    Great help, thanks! For step 3 I just SSH'd onto the Server and did not add port 22.

    Run vCert, Check Status, Update Certificates as necessary, Run Status again.

    Stop and Restart Services. 

    Check Access to Vcenter Server and Vcenter Management Console.

    Thanks, Tp




  • 5.  RE: Updating STS Certificates when locked out of VCSA

    Posted Mar 12, 2024 11:20 AM

    Hello,
    I have the same problem but with vSphere version 8.0 (see screenshot)
    I followed the procedure (installing and running the fixsts.sh script) but to no avail.
    I keep getting the same message.
    I restart the services and get the following errors (see screenshot)

    What should i do ?

    Denis