Replacing vCenter Server certificates fails when VMware Update Manager service is enabled
search cancel

Replacing vCenter Server certificates fails when VMware Update Manager service is enabled

book

Article ID: 315247

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Replacing VMCA certificates on VMware vCenter Server Appliance 6.5 fails.
     
  • In the vCenter - /var/log/vmware/vmcad/certificate-manager.log file, the similar entries are seen:

    YYYY-MM-DDTHH:MM:SSZ INFO certificate-manager please see service-control.log for service status
    Service-control failed. Error Failed to start vmon services.vmon-cli RC=1, stderr=Failed to start updatemgr services. Error: Operation timed out

  • In the vCenter - /tmp/vmware-temp/vmware-vum-server.log file, the similar entries are seen:
     
    YYYY-MM-DDTHH:MM:SSZ error vmware-vum-server[7F3EAB8FE700] [Originator@6876 sub=Default] [rpcConnectionWrapper,214] SSL cert. verification failed for host http://FQDN.OF.VCENTER.SERVER:80/. Vmacore::Ssl::SSLException: SSL Exception: Verification parameters:
    --> PeerThumbprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
    --> ExpectedThumbprint: YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY
    --> ExpectedPeerName: FQDN.OF.VCENTER.SERVER
    --> The remote host certificate has these problems:
    -->
    --> * unable to get local issuer certificate

Environment

VMware vCenter Server 6.5

Resolution

This issue is resolved in vCenter Server 6.5 Update 2. 

Workaround

  • Change the file permission of /etc/vmware/.buildInfo to 444
  1. Log in to vCenter Server Appliance as root.
     
  2. Change the file permission of /etc/vmware/.buildInfo from 640 back to 444:

    chmod 444 /etc/vmware/.buildInfo
     
  3. Replace the Machine SSL certificate.
  • Disable the VMware Update Manger service and replace the certificates:
  1. Take a backup of SSO domain (PSC(s), vCenter Server(s), etc.).
     
  2. Disable the VMware Update Manager Service.
     
    1. Log in to the vCenter Server using the vSphere Web Client.
       
    2. On the vSphere Web Client Home page, click System Configuration.
       
    3. Under System Configuration, click Services.
       
    4. From the Services list, right-click the VMware vSphere Update Manager service.
       
    5. Navigate to Start up Policy > Disabled.

  3. Re-try to replace the SSL certificates.

    For more information, see Configuring the vSphere 6.0 U1b or later VMware Certificate Authority as a Subordinate Certificate Authority.
     
  4. Re-enable the VMware Update Manager Service.
     
    1. Log in to the vCenter Server using the vSphere Web Client.
       
    2. On the vSphere Web Client Home page, click System Configuration.
       
    3. Under System Configuration, click Services.
       
    4. From the Services list, right-click the VMware vSphere Update Manager service.
       
    5. Navigate to Start up Policy > Automatic

  5. Connect to the vCenter Server using SSH and run the following commands:
     
    /usr/lib/vmware-updatemgr/bin/updatemgr-util refresh-certs
    /usr/lib/vmware-updatemgr/bin/updatemgr-util register-vc
    service-control --start vmware-updatemgr

  6. Verify that VMware Update Manager is accessible in the vSphere Web Client.
     
Powered by Wolken Software