"ERROR certificate-manager 'lstool get' failed: 1" during Certificate Replacement on vCenter Server 6.x
search cancel

"ERROR certificate-manager 'lstool get' failed: 1" during Certificate Replacement on vCenter Server 6.x

book

Article ID: 317716

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
In the certificate-manager.log file, you see entries similar to:
 
2017-04-21T17:11:53.316Z INFO certificate-manager Serial number before replacement: <old serial number>
2017-04-21T17:11:53.317Z INFO certificate-manager Serial number after replacement: <new serial number>
2017-04-21T17:11:53.317Z INFO certificate-manager Thumbprint before replacement: <old certificate thumbprint>
2017-04-21T17:11:53.317Z INFO certificate-manager Thumbprint after replacement: <new certificate thumbprint>
2017-04-21T17:11:53.325Z INFO certificate-manager MACHINE_SSL_CERT certificate replaced successfully. SerialNumber and Thumbprint changed.
2017-04-21T17:13:43.632Z ERROR certificate-manager Error while performing Cert Replacement operation, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
2017-04-21T17:13:43.632Z ERROR certificate-manager 'lstool get' failed: 1
2017-04-21T17:13:43.632Z INFO certificate-manager Performing rollback of Root Cert...
2017-04-21T17:13:43.632Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmca/bin/certool', '--rootca', '--cert', '/var/lib/vmware/vmca/root.cer.0', '--privkey', '/var/lib/vmware/vmca/privatekey.pem.0', '--server', 'localhost']
2017-04-21T17:13:43.832Z INFO certificate-manager Command output :-
Status : Success
 
 
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Cause

This issue occurs when there are third party extensions like nimble storage, veeambackupUI etc. with no valid certificates registered to vCenter Server.

Resolution

This issue is resolved in:
  • vCenter Server 6.5 Update 2
  • vCenter Server 6.7 Update 3b


Workaround:
To work around this issue, remove the third party extension and retry replacing the certificates.

Note: Take a backup of the vCenter database before making any changes.
 
  1. The service ID of the third party extension causing the error will be seen above the error message(as shown in the screenshot below). You can remove it from the vCenter MOB. For more information, see Cannot remove or disable unwanted plug-ins from vCenter Server and vCenter Server Appliance.
     
  2. Re-try the Certificate Replacement Operation. For more information see How to use vSphere 6.x Certificate Manager.


Additional Information