"ERROR certificate-manager 'lstool get' failed: 1" during Certificate Replacement on vCenter Server 6.x
Article ID: 317716
Updated On:
Products
VMware vCenter Server
Issue/Introduction
In the certificate-manager.log file, you see entries similar to:
YYYY-MM-DDTHH:MM:SS INFO certificate-manager Serial number before replacement: <old serial number>
YYYY-MM-DDTHH:MM:SS INFO certificate-manager Serial number after replacement: <new serial number>
YYYY-MM-DDTHH:MM:SS INFO certificate-manager Thumbprint before replacement: <old certificate thumbprint>
YYYY-MM-DDTHH:MM:SS INFO certificate-manager Thumbprint after replacement: <new certificate thumbprint>
YYYY-MM-DDTHH:MM:SS INFO certificate-manager MACHINE_SSL_CERT certificate replaced successfully. SerialNumber and Thumbprint changed.
YYYY-MM-DDTHH:MM:SS ERROR certificate-manager Error while performing Cert Replacement operation, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
YYYY-MM-DDTHH:MM:SS ERROR certificate-manager 'lstool get' failed: 1
YYYY-MM-DDTHH:MM:SS INFO certificate-manager Performing rollback of Root Cert...
YYYY-MM-DDTHH:MM:SS INFO certificate-manager Running command :- ['/usr/lib/vmware-vmca/bin/certool', '--rootca', '--cert', '/var/lib/vmware/vmca/root.cer.0', '--privkey', '/var/lib/vmware/vmca/privatekey.pem.0', '--server', 'localhost']
YYYY-MM-DDTHH:MM:SS INFO certificate-manager Command output :-
Status : Success
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Cause
This issue occurs when there are third party extensions like nimble storage, veeambackupUI etc. with no valid certificates registered to vCenter Server.
Resolution
This issue is resolved in:
Workaround:
To work around this issue, remove the third party extension and retry replacing the certificates.
Note: Take a backup of the vCenter database before making any changes.
- vCenter Server 6.5 Update 2
- vCenter Server 6.7 Update 3b
Workaround:
To work around this issue, remove the third party extension and retry replacing the certificates.
Note: Take a backup of the vCenter database before making any changes.
- The service ID of the third party extension causing the error will be seen above the error message(as shown in the screenshot below). You can remove it from the vCenter MOB. For more information, see Cannot remove or disable unwanted plug-ins from vCenter Server and vCenter Server Appliance.
- Re-try the Certificate Replacement Operation. For more information see How to use vSphere 6.x Certificate Manager.
Additional Information
- VMware Skyline Health Diagnostics for vSphere - FAQ
- vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller
- vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller
Feedback
Yes
No
Powered by
