VMware vSphere

 View Only

  • 1.  vCenter 7 Machine Cert Renewed Incorrectly

    Posted Apr 30, 2023 07:58 PM

    I'm running two vCenter 7.0.2 servers in linked-mode, both are the linux appliances.

    We received notice that the machine SSL cert would expire for one of the servers on 4/30.  One of our admins mistakenly renewed the machine certificate using a Windows domain account instead of using the administrator@vsphere.local account.

    The changed initially seemed to work, but now that the expiration date has passed we seem to have broken SSL to this server.  We're seeing the 500 error (An error occurred while fetching identity providers.)  We can still connect to the other linked vcenter server via SSL.

    I pulled certificate info from the cli of the broken server, and it shows the MACHINE SSL cert date in the future, but several other certificates stores are now expired: machine (in lower case), vsphere-webclient, vpxd, vpxd-extension, data-encipherment and wcp.  There is also a copy of the old expired MACHINE SSL cert in the BACKUP STORE.

    I'm not very familiar with the certificate-manager tool and all the options listed there.  What is the safest/least disruptive way to fix SSL?



  • 2.  RE: vCenter 7 Machine Cert Renewed Incorrectly

    Posted May 01, 2023 06:59 AM

    Hi,

    i’ve had this once and could only access the vcenter from ssh. Had to do the option reset all certificates using the certificate manager as in my case didn’t know who did what. It’s an environment that is semi managed in other words when they break it I get to fix it lol

    create a snapshot first of your vcsa

    connedting to the vcsa with ssh log in as root and type shell

    go to the following location

    /usr/lib/vmware-vmca/bin/certificate-manager

    you have a few options here, for me option 8 reset all certificates was the only one that worked but you could use option 3 replace machine ssl certificate with vmca certificate. 

    Hope this helps you on your way.

    Regards

    lisandro

     



  • 3.  RE: vCenter 7 Machine Cert Renewed Incorrectly

    Posted May 01, 2023 07:05 AM

    Note down esxi host, which is hosting both vCenter server.

    From appliance management , shut down both appliance

    Login to each esxi host, which is hosting both these vCenter appliance. take snapshot of VCSA, when it is powered off.

    If these vCenter was custom certificate signed by internal CA, along with machine SSL, you need to replace it all for both vCenter,

    You can do replace SSL certificate one at time per vCenter server

    https://kb.vmware.com/s/article/2097936 

    If only machine SSL certificate was replaced by internal CA, then you just do it and regenrate solution SSL certificate using certificate manager

     

    vCenter Server Appliance: /usr/lib/vmware-vmca/bin/certificate-manager