Vcenter don't come up after certificates updates

5. RE: Vcenter don't come up after certificates updates

Recommend

new_bember

Posted Nov 19, 2024 02:15 AM

Hello @Daniel Moses, I think good idea to check all your certs/stores settings with vCert script by vsantamaria@vmware.com

Original Message

6. RE: Vcenter don't come up after certificates updates

Recommend

luizitano

Posted Nov 19, 2024 11:52 AM

Hi, @new_bember

where i can find this script?

Thanks and Regards

Original Message

7. RE: Vcenter don't come up after certificates updates

Recommend

new_bember

Posted Nov 19, 2024 12:46 PM

Hi, @luizitano, frankly speaking I didnt read forum rules, so not sure if it allowed to post links here, but you can just google "vCert script by vsantamaria@vmware.com" and you will find it in first three rows.

Original Message

8. RE: Vcenter don't come up after certificates updates

Recommend

luizitano

Posted Nov 20, 2024 12:04 PM

Hi,

Many thanks for the information, but when i try to run the script i have this warning:

The VMware Directory service is not in NORMAL mode!
Certificate operations should not be actioned until this service
is running correctly in a NORMAL state.

vCenter 7.0 Certificate Management Utility (4.7.0)
-----------------------------------------------------------------
1. Check current certificates status
2. View Certificate Info
3. Manage Certificates
4. Manage SSL Trust Anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit

The VMware Directory service is not in NORMAL mode!
Certificate operations should not be actioned until this service
is running correctly in a NORMAL state.

root@vCSA-001 [ ~ ]# service-control --status vmdird
Running:
vmdird

Original Message

9. RE: Vcenter don't come up after certificates updates

Recommend

new_bember

Posted Nov 20, 2024 12:37 PM
Edited by new_bember Nov 20, 2024 12:38 PM

@luizitano do you have any replication with other vCenter?

Check this vmdir logs and this KBs, maybe your case:

https://knowledge.broadcom.com/external/article?legacyId=70756 - this one shows how to set vmdir state to NORMAL

https://knowledge.broadcom.com/external/article/319348/ldap-error-code-49error-49-error-in-vmdi.html

Original Message

Original Message:
Sent: Nov 20, 2024 12:03 PM
From: luizitano
Subject: Vcenter don't come up after certificates updates

Hi,

Many thanks for the information, but when i try to run the script i have this warning:

The VMware Directory service is not in NORMAL mode!
Certificate operations should not be actioned until this service
is running correctly in a NORMAL state.

vCenter 7.0 Certificate Management Utility (4.7.0)
-----------------------------------------------------------------
1. Check current certificates status
2. View Certificate Info
3. Manage Certificates
4. Manage SSL Trust Anchors
5. Check configurations
6. Reset all certificates with VMCA-signed certificates
7. ESXi certificate operations
8. Restart services
9. Generate certificate report
E. Exit

The VMware Directory service is not in NORMAL mode!
Certificate operations should not be actioned until this service
is running correctly in a NORMAL state.

root@vCSA-001 [ ~ ]# service-control --status vmdird
Running:
vmdird

Original Message:
Sent: Nov 19, 2024 12:46 PM
From: new_bember
Subject: Vcenter don't come up after certificates updates

Hi, @luizitano, frankly speaking I didnt read forum rules, so not sure if it allowed to post links here, but you can just google "vCert script by vsantamaria@vmware.com" and you will find it in first three rows.

Original Message:
Sent: Nov 19, 2024 11:51 AM
From: luizitano
Subject: Vcenter don't come up after certificates updates

Hi, @new_bember

where i can find this script?

Thanks and Regards

Original Message:
Sent: Nov 19, 2024 02:14 AM
From: new_bember
Subject: Vcenter don't come up after certificates updates

Hello @Daniel Moses, I think good idea to check all your certs/stores settings with vCert script by vsantamaria@vmware.com

Original Message:
Sent: Nov 15, 2024 09:43 AM
From: Daniel Moses
Subject: Vcenter don't come up after certificates updates

I had an old issue something like this, back on 6.7 with a VASA cert and my storage array, but it was a bad alias name in the Trusted Root store(see below). I do see two trusted root certs in your list that are showing expired, might want to track down what they go to and see if they are causing the issue.

https://community.broadcom.com/vmware-cloud-foundation/discussion/vcsa-67-vpxd-doesnt-start-after-replacing-machine-ssl-certs

Original Message:
Sent: Nov 14, 2024 08:57 AM
From: luizitano
Subject: Vcenter don't come up after certificates updates

Hi,

Thanks, i have done with option 8 several times and still have the issue.

*] Store : MACHI[*] Store : MACHINE_SSL_CERT
NE_SSL_CERTAlias : __MACHINE_CERT
Not After : Nov 13 13:12:36 2026 GMT
[*] Store : TRUSTED_ROOTS
Alias : 507c6a929140b95360b29503d9dce20cf5390f01
Not After : Nov 3 00:42:35 2030 GMT
Alias : da6d595f3290bda8d6678702d0ecb0fc4b5d70d8
Not After : Nov 3 06:37:01 2032 GMT
Alias : b9592c4aa626004f5e9c5079b023ea8eb96f92cc
Not After : Nov 3 06:51:25 2032 GMT
Alias : f1208dd46e4223887e444ab4975f7d8df2dcd3f0
Not After : Nov 3 06:52:24 2032 GMT
Alias : aff6173cb705c256335b19f3d0303a0920cbdb43
Not After : Nov 3 10:22:18 2034 GMT
Alias : 5e9efaa86e2391be1c5e672a0bc08b27e501119c
Not After : Nov 3 10:29:52 2034 GMT
Alias : edc792057763299cfff2b82db65a3a4164cb38f0
Not After : Nov 3 10:43:22 2034 GMT
Alias : 60efdccba797489d14fe90dad258cb2113f5c308
Not After : Nov 3 10:46:13 2034 GMT
Alias : 835a8647456caf66f98b0d9bab7bd64d1cf380cd
Not After : Nov 3 12:09:56 2034 GMT
Alias : 9c2165431c14cfec20bfc37ebb0390d7aa2d672a
Not After : Nov 3 12:11:08 2034 GMT
Alias : ee19eece717750b01465cedbdeb5daf7c6967d9d
Not After : Nov 3 13:45:53 2034 GMT
Alias : 9c1ff4755a7ed52943caea2bc86e549824a397e8
Not After : Nov 3 14:01:30 2034 GMT
Alias : b5a000cba4868e8bf12518888c7c61f7d691e073
Not After : Nov 4 21:08:02 2034 GMT
Alias : ce732919a95742c49a81aebef27a8c1adda3549b
Not After : Nov 6 11:32:25 2034 GMT
Alias : 1b3aea7841462fa3821d92a512c92fe59f691503
Not After : Nov 6 12:14:38 2034 GMT
Alias : 3b8ba019081408cf5478a7ce4372774add373110
Not After : Nov 6 14:00:59 2034 GMT
Alias : 5421eafe4cc8fb1fd500e0854deae9a8d0074505
Not After : Nov 6 14:16:26 2034 GMT
Alias : e7bd972af9018f905999f71f3c5a4634e7dea06a
Not After : Nov 6 20:41:58 2034 GMT
Alias : 9399a66c96aa8d6969ce594ae49646359df4ed72
Not After : Nov 7 09:05:07 2034 GMT
Alias : 7e5010982a489aabe2ee754d982f5a645f94a976
Not After : Nov 7 15:49:41 2034 GMT
Alias : efaeb741e4ef3772cf0948909145d13e03c7cb73
Not After : Nov 7 16:30:58 2034 GMT
Alias : 6eba2bd6a4222e4bc2fc172b4edd47e588a12570
Not After : Nov 8 12:56:32 2034 GMT
Alias : 98b09befd6c201fea1c0d75c3b160143c9ef27c4
Not After : Nov 8 13:01:27 2034 GMT
Alias : c13b69acf10eeacccd844981b8fc8dc041ddd2a9
Not After : Nov 8 13:22:35 2034 GMT
Alias : 64f77e051e12bcf3c6f0d11795ff537766b08383
Not After : Jan 9 01:50:05 2022 GMT
Alias : b95da3757c9e37e726d5f3539b4210853f548e08
Not After : Apr 5 08:10:10 2023 GMT
Alias : ea93193f725d1380479144a1e9cbf811e8e5b885
Not After : Nov 8 14:49:41 2034 GMT
Alias : 7a97332b8671031aaae8f8ba1cd41a7fcf7658c9
Not After : Nov 8 16:37:23 2034 GMT
[*] Store : machine
Alias : machine
Not After : Nov 13 13:13:33 2026 GMT
[*] Store : vsphere-webclient
Alias : vsphere-webclient
Not After : Nov 13 13:13:34 2026 GMT
[*] Store : vpxd
Alias : vpxd
Not After : Nov 13 13:13:35 2026 GMT
[*] Store : vpxd-extension
Alias : vpxd-extension
Not After : Nov 13 13:13:35 2026 GMT
[*] Store : hvc
Alias : hvc
Not After : Nov 13 13:13:38 2026 GMT
[*] Store : data-encipherment
Alias : data-encipherment
Not After : Nov 3 00:42:35 2030 GMT
[*] Store : APPLMGMT_PASSWORD
Alias : location_password_default
[*] Store : SMS
Alias : sms_self_signed
Not After : Nov 8 00:46:17 2030 GMT
[*] Store : wcp
Alias : wcp
Not After : Nov 13 13:13:38 2026 GMT
[*] Store : BACKUP_STORE
Alias : bkp___MACHINE_CERT
Not After : Nov 13 13:12:36 2026 GMT
Alias : bkp_machine
Not After : Nov 13 13:13:33 2026 GMT
Alias : bkp_vsphere-webclient
Not After : Nov 13 13:13:34 2026 GMT
Alias : bkp_vpxd
Not After : Nov 13 13:13:35 2026 GMT
Alias : bkp_vpxd-extension
Not After : Nov 13 13:13:35 2026 GMT
Alias : bkp_hvc
Not After : Nov 13 13:13:38 2026 GMT
Alias : bkp_wcp
Not After : Nov 13 13:13:38 2026 GMT

Original Message:
Sent: Nov 14, 2024 08:30 AM
From: Navin A
Subject: Vcenter don't come up after certificates updates

Hi,

Please use option 8 and reset the certs.

The services should be up post replacing the certs.

This issue would happen if the chain is not complete.

Regards,

Navin A

Original Message:
Sent: Nov 12, 2024 11:08 AM
From: luizitano
Subject: Vcenter don't come up after certificates updates

Hi,

i have a need to update the vsphere machine certificates and after the updates the vsphere don't come up

i have used the the option 4 and after the 8 on /usr/lib/vmware-vmca/bin/certificate-manager

after i try to use the script ./fixsts.sh

now i don't have any certificate expired:

root@vCSA-001 [ ~/temp ]# python checksts.py

2 VALID CERTS
================

LEAF CERTS:

[] Certificate 84:BD:82:F9:31:48:C3:CF:0A:0C:94:48:47:D8:1C:24:25:24:A6:09 will expire in 730 days (2 years).

ROOT CERTS:

[] Certificate 1B:3A:EA:78:41:46:2F:A3:82:1D:92:A5:12:C9:2F:E5:9F:69:15:03 will expire in 3646 days (10 years).

0 EXPIRED CERTS
================

LEAF CERTS:

None

ROOT CERTS:

None

but some services don't come up

the services are in this state:

root@vCSA-001 [ ~ ]# service-control --status --all
Running:
applmgmt lookupsvc lwsmd observability-vapi vmafdd vmcad vmdird vmonapi vmware-certificateauthority vmware-certificatemanagement vmware-cis-license vmware-eam vmware-envoy vmware-infraprofile vmware-postgres-archiver vmware-rhttpproxy vmware-sca vmware-statsmonitor vmware-stsd vmware-topologysvc vmware-trustmanagement vmware-vapi-endpoint vmware-vmon vmware-vpostgres vtsdb
StartPending:
vmware-hvc
Stopped:
observability pschealth vlcm vmcam vmware-analytics vmware-content-library vmware-imagebuilder vmware-netdumper vmware-perfcharts vmware-pod vmware-rbd-watchdog vmware-sps vmware-updatemgr vmware-vcha vmware-vdtc vmware-vpxd vmware-vpxd-svcs vmware-vsan-health vmware-vsm vsphere-ui vstats wcp

on the VPXD service i have:

2024-11-12T16:05:50.747Z info vpxd[37599] [Originator@6876 sub=vpxCrypt] Failed to read X509 cert; err: 151441516
2024-11-12T16:05:50.764Z info vpxd[37599] [Originator@6876 sub=SsoClient] Successfully acquired token: SamlToken [subject={Name: vpxd-8f5a0953-467d-4581-8146-6fd42ca202d6; Domain:vsphere.local}, groups=[{Name: Users; Domain:vsphere.local}, {Name: SolutionUsers; Domain:vsphere.local}, {Name: SystemConfiguration.Administrators; Domain:vsphere.local}, {Name: ComponentManager.Administrators; Domain:vsphere.local}, {Name: LicenseService.Administrators; Domain:vsphere.local}, {Name: ActAsUsers; Domain:vsphere.local}, {Name: Everyone; Domain:vsphere.local}], delegationChain=[], startTime=2024-11-12 16:05:50.747, expirationTime=2024-11-13 00:05:50.747, renewable=false, delegable=false, isSolution=true,confirmationType=1]
2024-11-12T16:05:50.766Z warning vpxd[37719] [Originator@6876 sub=IO.Connection] Failed to connect; <io_obj p:0x00007fe40c003ac8, h:35, <TCP '127.0.0.1 : 47388'>, <TCP '127.0.0.1 : 10080'>>, e: 111(Connection refused), duration: 0msec
2024-11-12T16:05:50.766Z warning vpxd[37719] [Originator@6876 sub=HttpConnectionPool-000027] Failed to get pooled connection; <cs p:00007fe3a475fdf0, TCP:localhost:10080>, (null), duration: 0msec, N7Vmacore15SystemExceptionE(Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.)
--> [context]zKq7AVECAQAAABvdLAEPdnB4ZAAAHug3bGlidm1hY29yZS5zbwAAAYksAIl7LQBX+DIAV9wjAPb3IwCDCCQAuQwkAKYUJAATuSMAl1ojAD+wIwDcczcBh38AbGlicHRocmVhZC5zby4wAALvNQ9saWJjLnNvLjYA[/context]
2024-11-12T16:05:50.768Z info vpxd[37719] [Originator@6876 sub=IO.Http] Set user agent error; state: 1, (null), N7Vmacore15SystemExceptionE(Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.)
--> [context]zKq7AVECAQAAABvdLAEPdnB4ZAAAHug3bGlidm1hY29yZS5zbwAAAYksAIl7LQBX+DIAV9wjAPb3IwCDCCQAuQwkAKYUJAATuSMAl1ojAD+wIwDcczcBh38AbGlicHRocmVhZC5zby4wAALvNQ9saWJjLnNvLjYA[/context]
2024-11-12T16:05:50.769Z error vpxd[37719] [Originator@6876 sub=IO.Http] User agent failed to send request; (null), N7Vmacore15SystemExceptionE(Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.)
--> [context]zKq7AVECAQAAABvdLAEPdnB4ZAAAHug3bGlidm1hY29yZS5zbwAAAYksAIl7LQBX+DIAV9wjAPb3IwCDCCQAuQwkAKYUJAATuSMAl1ojAD+wIwDcczcBh38AbGlicHRocmVhZC5zby4wAALvNQ9saWJjLnNvLjYA[/context]
2024-11-12T16:05:50.769Z warning vpxd[37599] [Originator@6876 sub=Authz] [ConnectAndLogin] Failed to loginBySamlToken: N7Vmacore15SystemExceptionE(Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.)
--> [context]zKq7AVECAQAAABvdLAEPdnB4ZAAAHug3bGlidm1hY29yZS5zbwAAAYksAIl7LQBX+DIAV9wjAPb3IwCDCCQAuQwkAKYUJAATuSMAl1ojAD+wIwDcczcBh38AbGlicHRocmVhZC5zby4wAALvNQ9saWJjLnNvLjYA[/context]
2024-11-12T16:05:50.772Z info vpxd[37599] [Originator@6876 sub=Authz] fallback to loginByCertificate
2024-11-12T16:05:50.772Z warning vpxd[37720] [Originator@6876 sub=IO.Connection] Failed to connect; <io_obj p:0x00007fe3f8003278, h:35, <TCP '127.0.0.1 : 47390'>, <TCP '127.0.0.1 : 10080'>>, e: 111(Connection refused), duration: 0msec
2024-11-12T16:05:50.772Z warning vpxd[37720] [Originator@6876 sub=HttpConnectionPool-000027] Failed to get pooled connection; <cs p:00007fe3a475fdf0, TCP:localhost:10080>, (null), duration: 0msec, N7Vmacore15SystemExceptionE(Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.)
--> [context]zKq7AVECAQAAABvdLAEPdnB4ZAAAHug3bGlidm1hY29yZS5zbwAAAYksAIl7LQBX+DIAV9wjAPb3IwCDCCQAuQwkAKYUJAATuSMAl1ojAD+wIwDcczcBh38AbGlicHRocmVhZC5zby4wAALvNQ9saWJjLnNvLjYA[/context]
2024-11-12T16:05:50.773Z info vpxd[37720] [Originator@6876 sub=IO.Http] Set user agent error; state: 1, (null), N7Vmacore15SystemExceptionE(Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.)
--> [context]zKq7AVECAQAAABvdLAEPdnB4ZAAAHug3bGlidm1hY29yZS5zbwAAAYksAIl7LQBX+DIAV9wjAPb3IwCDCCQAuQwkAKYUJAATuSMAl1ojAD+wIwDcczcBh38AbGlicHRocmVhZC5zby4wAALvNQ9saWJjLnNvLjYA[/context]
2024-11-12T16:05:50.775Z error vpxd[37720] [Originator@6876 sub=IO.Http] User agent failed to send request; (null), N7Vmacore15SystemExceptionE(Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.)
--> [context]zKq7AVECAQAAABvdLAEPdnB4ZAAAHug3bGlidm1hY29yZS5zbwAAAYksAIl7LQBX+DIAV9wjAPb3IwCDCCQAuQwkAKYUJAATuSMAl1ojAD+wIwDcczcBh38AbGlicHRocmVhZC5zby4wAALvNQ9saWJjLnNvLjYA[/context]
2024-11-12T16:05:50.775Z error vpxd[37599] [Originator@6876 sub=httpUtil] Error in sending request: N7Vmacore15SystemExceptionE(Connection refused: The remote service is not running, OR is overloaded, OR a firewall is rejecting connections.)
--> [context]zKq7AVECAQAAABvdLAEPdnB4ZAAAHug3bGlidm1hY29yZS5zbwAAAYksAIl7LQBX+DIAV9wjAPb3IwCDCCQAuQwkAKYUJAATuSMAl1ojAD+wIwDcczcBh38AbGlicHRocmVhZC5zby4wAALvNQ9saWJjLnNvLjYA[/context]
2024-11-12T16:05:50.777Z error vpxd[37599] [Originator@6876 sub=ServerAccess] Remote login failed: N3Vim5Fault9HttpFault9ExceptionE(Fault cause: vim.fault.HttpFault
--> )
--> [context]zKq7AVECAQAAABvdLAEVdnB4ZAAAHug3bGlidm1hY29yZS5zbwAAAYksAIl7LQBX+DIBGbdvdnB4ZAABbfmBgaKgYQEB0AiCAWAi1wHAGtcBssbVAhwsAWxpYmF1dGh6Y2xpZW50LnNvAALjOAECaeABAifVAQHQtNUBz9pvAatLcAEto28DhysCbGliYy5zby42AAERmW8=[/context]
2024-11-12T16:05:50.779Z error vpxd[37599] [Originator@6876 sub=AuthzStorageProvider] [AuthzStorageProvider::CreateAuthzMgr] Failed to connect to Authz service: <N5Vmomi5Fault17HostCommunication9ExceptionE(Fault cause: vmodl.fault.HostCommunication
--> )
--> [context]zKq7AVECAQAAABvdLAEVdnB4ZAAAHug3bGlidm1hY29yZS5zbwAAAYksAIl7LQBX+DIBGbdvdnB4ZAABlXV4AVN2eAFMC4IBYCLXAcAa1wGyxtUCHCwBbGliYXV0aHpjbGllbnQuc28AAuM4AQJp4AECJ9UBAdC01QHP2m8Bq0twAS2jbwOHKwJsaWJjLnNvLjYAARGZbw==[/context]>
2024-11-12T16:05:50.781Z info vpxd[37599] [Originator@6876 sub=AuthzStorageProvider] [AuthzStorageProvider::CreateAuthzMgr] Retry for this error: attempt count 17

the disk space is ok:

Filesystem Size Used Avail Use% Mounted on
devtmpfs 14G 0 14G 0% /dev
tmpfs 14G 588K 14G 1% /dev/shm
tmpfs 14G 1.2M 14G 1% /run
tmpfs 14G 0 14G 0% /sys/fs/cgroup
/dev/mapper/vg_root_0-lv_root_0 47G 9.6G 35G 22% /
tmpfs 14G 3.0M 14G 1% /tmp
/dev/sda3 488M 30M 423M 7% /boot
/dev/mapper/netdump_vg-netdump 9.8G 37M 9.3G 1% /storage/netdump
/dev/mapper/autodeploy_vg-autodeploy 25G 45M 24G 1% /storage/autodeploy
/dev/mapper/dblog_vg-dblog 25G 1.4G 22G 6% /storage/dblog
/dev/mapper/core_vg-core 49G 4.4G 43G 10% /storage/core
/dev/mapper/imagebuilder_vg-imagebuilder 25G 45M 24G 1% /storage/imagebuilder
/dev/mapper/vtsdblog_vg-vtsdblog 25G 77M 24G 1% /storage/vtsdblog
/dev/mapper/updatemgr_vg-updatemgr 98G 3.7G 90G 4% /storage/updatemgr
/dev/mapper/lifecycle_vg-lifecycle 98G 4.4G 89G 5% /storage/lifecycle
/dev/sda2 10M 2.2M 7.9M 22% /boot/efi
/dev/mapper/archive_vg-archive 98G 16G 77G 18% /storage/archive
/dev/mapper/seat_vg-seat 541G 2.2G 511G 1% /storage/seat
/dev/mapper/vtsdb_vg-vtsdb 541G 105M 513G 1% /storage/vtsdb
/dev/mapper/log_vg-log 25G 11G 13G 47% /storage/log
/dev/mapper/db_vg-db 25G 5.0G 19G 22% /storage/db

i can not find the problem. can someone help me please.

10. RE: Vcenter don't come up after certificates updates

Recommend

luizitano

Posted Nov 21, 2024 04:05 AM

Hi,

before all, many thanks for your inputs,

no i don't have any replication. i am doing backup of all and after that i will try to change the state to normal. I have afraid what this changes can do to vsan storage.

Original Message

Original Message:
Sent: Nov 20, 2024 12:37 PM
From: new_bember
Subject: Vcenter don't come up after certificates updates