VMware vSphere

 View Only
Back to discussions
Expand all | Collapse all

vSphere 5.5 expired certificate

  • 1.  vSphere 5.5 expired certificate

    Posted Mar 22, 2024 07:16 PM

    Hi to all,

    I've a problem with VMWare 5.5 and vSphere VM appliance, today the certificate are expired and can't login anymore.

    This is the error "The login request has expired due to a clock synchronization issue between vsphere web client and vcenter single sign-on"

    How can I renew the expired certificate and expired CA?

    Thank you.

     



  • 2.  RE: vSphere 5.5 expired certificate

    Posted Mar 23, 2024 06:49 PM

    ,

    This could occur due to expiration of a previously replaced STS certificate and to resolve the same, reset the STS Certificate to default one.

    You may follow this article to resolve the same - https://kb.vmware.com/s/article/2108379

     

     



  • 3.  RE: vSphere 5.5 expired certificate

    Posted Mar 25, 2024 09:41 AM

    Hi Shen,

    thank you for the answer.

    I've followed the kb for vCenter Server Appliance (VCSA) with the suggested command.

    After the message "Successfully installed VMware STS" and rebooted the system certificates are still expired.

    When I try to login on VSphere gave me this error "Failed to connect to VMware Lookup Service https://blade-vcenter.XXX:7444/lookupservice/sdk - SSL certificate verification failed".

    Any suggestion?

    Thank you.



  • 4.  RE: vSphere 5.5 expired certificate

    Posted Mar 25, 2024 10:14 AM

    ,

    In this case, I would suggest to manually regenerate the certificates in the vCenter Virtual Appliance. You may follow this KB to generate the certificate but do not forget to take a snapshot of the virtual machine before proceeding.
     

    Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5 (2070603)


    Also, just curious do we have a underscore '_' in the hostname?




  • 5.  RE: vSphere 5.5 expired certificate

    Posted Mar 25, 2024 11:33 AM

     

    this is the output at the "source vpxd_commonutils; generate_all_certificates replace"; command

     

    generate_all_certificates replace
    Hostname or IP address have changed. Regenerating the self-signed certificates...
    Regenerating the SLAPD certificate...
    done.
    Regenerating the vpxd certificate...
    Waiting for the embedded database to start up: [OK]
    VC_CFG_RESULT=659
    done.
    Regenerating the Inventory Service certificate...
    Intializing registration provider...
    Getting SSL certificates for https://blade-vcenter.XXX:7444/lookupservice/sdk
    Return code is: Success
    done.
    WARNING: cannot execute certificate replace script '/etc/va/certs/replace/*'
    Stopping vmware-stsd .. done
    Stopping VMware STS IDM Server ... done
    Stopping VMware Directory Service done

    Certificate regeneration finished.

     

    After the reboot the problem is not the changed.

    I'm becoming crazy

    >>Also, just curious do we have a underscore '_' in the hostname?

    No underscore just " - "

    Thank you.



  • 6.  RE: vSphere 5.5 expired certificate

    Posted Mar 26, 2024 07:18 AM

    ,

    I don't see any failure with the output you've posted, seems the cert regeneration has gone well but no go after reboot. Lastly, to avoid services having the old hostname after certificate re-generation we could regenerate the self-signed SSL Certificate by using the VAMI portal. Please follow below steps:

     

    1. Log-into VCSA VAMI page: https://<FQDN/IP>:5480
    2. Admin > Certificate regeneration enabled > Yes
    3. Network > Address > Change Hostname/IP to a temporary value (if it is DHCP then make it static)
    4. Reboot
    5. Login again into VCSA VAMI page: https://<FQDN/IP>:5480
    6. Admin > Certificate regeneration enabled > Yes
    7. Network > Address > Change Hoostname/IP to original value
    8. Reboot.


    If this did not help, I guess redeploying the appliance is the last resort that I could suggest.

     



  • 7.  RE: vSphere 5.5 expired certificate

    Posted Mar 26, 2024 03:36 PM

    @Shen88 

    I followed the suggested step with no luck, no change on installed certified.

    If I redeploying the appliance, can I import the previous settings in some way?

    Thank you.

     



  • 8.  RE: vSphere 5.5 expired certificate

    Posted Mar 27, 2024 01:47 AM

    ,

    Hey, I haven't done this myself, so I cannot comment on how well this will works. But, you may give it a try.

    https://kb.vmware.com/s/article/2034505




  • 9.  RE: vSphere 5.5 expired certificate

    Posted Jan 30, 2025 07:03 AM

    Did you ever resolve this? Our 5.5 appliance cert and CA has just expired and the KB article https://kb.vmware.com/s/article/2070603 is no longer accessible. We've temporarily managed to gain access via the vsphere client by setting the date on the vcenter server and PC back to last year, but we really just need to regenerate a new 10 year CA and cert.

    Thx,

    M


    Original Message


  • 10.  RE: vSphere 5.5 expired certificate

    Broadcom Employee
    Posted Jan 31, 2025 08:36 AM

    @markdiss Try this,

    Note: Take a snapshot of the virtual machine before proceeding.

Ensure the customers FQDN, DSN, IP, and all network configuration are correct. Run this VAMI script:
/opt/vmware/share/vami/vami_config_net

Note: This brings up a command line utility to check network configuration.

Create a file called allow_regeneration by running this command:
touch /etc/vmware-vpx/ssl/allow_regeneration

Stop the VPXD service by running this command:
service vmware-vpxd stop

Stop the vCenter Single Sign-On service by running the commands:
For vCenter Server 5.5: service vmware-sts-idmd stop
For vCenter Server 5.1: service vmware-sso stop

Regenerate the SSL certificate by running the command:
source vpxd_commonutils; generate_all_certificates replace

Remove the regeneration flag by removing the allow_regeneration file:
rm /etc/vmware-vpx/ssl/allow_regeneration

Reboot vCenter Appliance.

    --------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Although I am a VMware employee I contribute to VMware Communities voluntarily (i.e. not in any official capacity)

    Please mark my comment as the Correct Answer or assign Kudos if my answer was helpful to you, Thank you.

    ----------------------------------------------------------------------------------------------------------------------------------------------------------


    Original Message


  • 11.  RE: vSphere 5.5 expired certificate

    Posted Jan 31, 2025 09:26 AM

    No dice I'm afraid, I think the problem is that the VC Server CA is expired so it can't regenerate any certs. We need some way to renew the local VC CA first for a new 10 year lifespan.

    M


    Original Message


  • 12.  RE: vSphere 5.5 expired certificate

    Broadcom Employee
    Posted Jan 31, 2025 09:33 AM

    Try the script from KB https://knowledge.broadcom.com/external/article?articleId=322249 

    But I am not sure if it is going to work on 5.x


    Original Message


  • 13.  RE: vSphere 5.5 expired certificate

    Posted Jan 31, 2025 10:05 AM

    No, some missing dependencies:


    vcentersrv55:~ # python fixcerts_3_2.py replace --certType all
    Traceback (most recent call last):
      File "fixcerts_3_2.py", line 40, in <module>
        from prettytable import PrettyTable
    ImportError: No module named prettytable


    Original Message


  • 14.  RE: vSphere 5.5 expired certificate

    Posted Feb 05, 2025 07:08 AM

    I am also facing same issue SSOserver.crt, CA_certificate.crt and rui.crt certificate expired. I am usinge windows based vcenter (Windows server 2012).
    Did anyone find solution for this


    Original Message


  • 15.  RE: vSphere 5.5 expired certificate

    Posted Feb 05, 2025 07:33 AM

    Hi Suresh,

    In the end we just bit the bullet and deployed a new Vcenter5.5 virtual appliance. You may be able to fix this in the windows version, but pretty sure if the CA runs out on an Appliance it's dead and unrecoverable.

    M


    Original Message


  • 16.  RE: vSphere 5.5 expired certificate

    Posted Feb 06, 2025 08:39 AM

    I tried to renew by generating with Openssl, but no luck. Please share the documentation or steps to renew the certificate Chain.

    Error:
    2025-02-05T11:53:06.512+04:00 [06576 error 'HttpConnectionPool-000001'] [ConnectComplete] Connect failed to <cs p:0094a77c0, TCP:-----.----.com:7444>; cnx: (null), error: class Vmacore::Ssl::SSLVerifyException(SSL Exception: Verification parameters:
    --> PeerThumbprint: *****
    --> ExpectedThumbprint: 
    --> ExpectedPeerName: ****srv.*****al.com
    --> The remote host certificate has these problems:
    --> 
    --> * A certificate in the host's chain is not time-valid.
    --> 
    --> * A certificate in the host's chain is based on an untrusted root.
    --> 
    --> * The certificate is not time-valid.
    --> 
    --> * certificate has expired)
    2025-02-05T11:53:06.513+04:00 [11372 error '[SSO][SsoFactory_CreateFacade]'] Unable to create SSO facade: SSL Exception: Verification parameters:
    --> PeerThumbprint: *********
    --> ExpectedThumbprint: 
    --> ExpectedPeerName: ****srv.*****al.com
    --> The remote host certificate has these problems:
    --> 
    --> * A certificate in the host's chain is not time-valid.
    --> 
    --> * A certificate in the host's chain is based on an untrusted root.
    --> 
    --> * The certificate is not time-valid.
    --> 
    --> * certificate has expired. 
    2025-02-05T11:53:06.513+04:00 [11372 error 'vpxdvpxdMain'] [Vpxd::ServerApp::Init] Init failed: Vpx::Common::Sso::SsoFactory_CreateFacade(sslContext, ssoFacadeConstPtr)


    Original Message


  • 17.  RE: vSphere 5.5 expired certificate

    Posted Feb 07, 2025 12:27 PM

    Any reason you are specifically running vSphere 5.5?


    Original Message