VMware vSphere

 View Only

  • 1.  vCenter Certificate Status alarm for CSR

    Posted Aug 10, 2023 08:09 PM

    Hello - 

    I've got a vCenter server that is throwing a Certificate Status Alarm, and its specifically alarming about a CSR not a cert expiring.

    I ran the following command to list all of the certs:

    for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

    There are no certs expired.

    The cert that the alarm is complaining about isn't actually a cert - its a CSR

    MJR_1-1691697427566.png

    MJR_2-1691697864410.png

     

    Any ideas how to remove the CSR without borking the whole thing? Or even better, any ideas how to make the alarm only trigger for expiring certs and not CSR's?

    Its really not hurtning anything, just driving me nuts that its there.

    I have 100% validated that its the CSR - if I reset the alarm to green, it will come back. If I generate a new CSR, it will not alert until the next day when that CSR expires.



  • 2.  RE: vCenter Certificate Status alarm for CSR

    Posted Aug 11, 2023 03:03 AM

    Have you generatd the CSR and not updated the certificate with respect to that CSR?

    In this case, just replace the certificate.

    Regards,

    Sachchidanand



  • 3.  RE: vCenter Certificate Status alarm for CSR

    Posted Aug 11, 2023 01:00 PM

    I haven't generated a new cert from the CSR that I created a couple of days ago because the current cert doesnt expire for a while.

     

    But - thats not the issue. The only reason I created a new CSR a couple of days ago was to test if the alarm would go away if I did that (it did). It was alarming from the original CSR that I did generate the cert from that was still there, then when I created a new CSR, the alarm cleared for a day (how long the CSR was good for), and then came back.

    So generating a new cert from that CSR isnt going to change the fact that the CSR is expired, and that the alarm is still going to trigger off of that CSR instead of off of the cert.



  • 4.  RE: vCenter Certificate Status alarm for CSR

    Posted Aug 11, 2023 02:19 PM

    If you generate a csr, vcenter expect that you update the cert in respect to that csr. It donen't matter how many times you generate it. Don't generate another csr to check if alarm will go for the previous csr, instead generate the self certificate to get rid of the alarms you are geting for csr/cert.

    Regards,

    Sachchidanand