Replacing vCenter Server certificates fails when VMware Update Manager service is enabled
search cancel

Replacing vCenter Server certificates fails when VMware Update Manager service is enabled

book

Article ID: 315247

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Replacing VMCA certificates on VMware vCenter Server Appliance 6.5 fails.
     
  • In the /var/log/vmware/vmcad/certificate-manager.log file, you see entries similar to:

    YYYY-MM-DDTHH:MM:SSZ INFO certificate-manager please see service-control.log for service status
    Service-control failed. Error Failed to start vmon services.vmon-cli RC=1, stderr=Failed to start updatemgr services. Error: Operation timed out

     
  • In the /tmp/vmware-temp/vmware-vum-server.log file, you see entries similar to:
     
    YYYY-MM-DDTHH:MM:SSZ error vmware-vum-server[7F3EAB8FE700] [Originator@6876 sub=Default] [rpcConnectionWrapper,214] SSL cert. verification failed for host http://FQDN.OF.VCENTER.SERVER:80/. Vmacore::Ssl::SSLException: SSL Exception: Verification parameters:
    --> PeerThumbprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
    --> ExpectedThumbprint: YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY:YY
    --> ExpectedPeerName: FQDN.OF.VCENTER.SERVER
    --> The remote host certificate has these problems:
    -->
    --> * unable to get local issuer certificate
 
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
 


Environment

VMware vCenter Server 6.5

Resolution

This is a known issue affecting VMware vCenter Server Appliance 6.5.
 
 
Workaround:
  • Change the file permission of /etc/vmware/.buildInfo to 444:
 
  1. Log in to vCenter Server Appliance as root.
     
  2. Change the file permission of /etc/vmware/.buildInfo from 640 back to 444 by running this command:

    chmod 444 /etc/vmware/.buildInfo
     
  3. Replace the Machine SSL certificate.
 
  • Disable the VMware Update Manger service and replace the certificates:
 
  1. Take a backup of your SSO domain (PSC(s), vCenter Server(s), etc.).
     
  2. Disable the VMware Update Manager Service.
     
    1. Log in to the vCenter Server using the vSphere Web Client.
       
    2. On the vSphere Web Client Home page, click System Configuration.
       
    3. Under System Configuration, click Services.
       
    4. From the Services list, right-click the VMware vSphere Update Manager service.
       
    5. Navigate to Start up Policy > Disabled.

       
  3. Re-try to replace the SSL certificates.

    For more information, see Configuring the vSphere 6.0 U1b or later VMware Certificate Authority as a Subordinate Certificate Authority(2147542).
     
  4. Re-enable the VMware Update Manager Service.
     
    1. Log in to the vCenter Server using the vSphere Web Client.
       
    2. On the vSphere Web Client Home page, click System Configuration.
       
    3. Under System Configuration, click Services.
       
    4. From the Services list, right-click the VMware vSphere Update Manager service.
       
    5. Navigate to Start up Policy > Automatic

       
  5. Connect to the vCenter Server using SSH and run the following commands:
     
    /usr/lib/vmware-updatemgr/bin/updatemgr-util refresh-certs
    /usr/lib/vmware-updatemgr/bin/updatemgr-util register-vc
    service-control --start vmware-updatemgr

     
  6. Verify that VMware Update Manager is accessible in the vSphere Web Client.
     
Powered by Wolken Software