Renewing Certificates Using Certificate Manager Fails with VMCAAddRootCertificatePrivate() failedError: 5, Failed to Add Root Certificate
search cancel

Renewing Certificates Using Certificate Manager Fails with VMCAAddRootCertificatePrivate() failedError: 5, Failed to Add Root Certificate

book

Article ID: 319423

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • Unable to renew certificates with certificate manager.
  • Renewing certificates using certificate manager fails with 
ERROR certificate-manager Using config file : /var/tmp/vmware/root.cfg
Error: 5, VMCAAddRootCertificatePrivate() failedError: 5, Failed to add root certificate
Status : Failed
Error Code : 5
Error Message : Operation failed with error = ERROR_ACCESS_DENIED (5)

 ERROR certificate-manager {
    "detail": [
        {
            "args": [
                "Using config file : /var/tmp/vmware/root.cfg\nError: 5, VMCAAddRootCertificatePrivate() failedError: 5, Failed to add root certificate\nStatus : Failed\nError Code : 5\nError Message : Operation failed with error = ERROR_ACCESS_DENIED (5)\n"
            ],
            "id": "install.ciscommon.command.errinvoke",
            "translatable": "An error occurred while invoking external command : '%(0)s'",
            "localized": "An error occurred while invoking external command : 'Using config file : /var/tmp/vmware/root.cfg\nError: 5, VMCAAddRootCertificatePrivate() failedError: 5, Failed to add root certificate\nStatus : Failed\nError Code : 5\nError Message : Operation failed with error = ERROR_ACCESS_DENIED (5)\n'"
        },
        "Error while generating root cert using selfca command."
    ],
    "problemId": null,
    "componentKey": null,
    "resolution": null
 
  • From vmcad-syslog.log:

info vmcad  t@139876657776384: Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: 

info vmcad  t@139876657776384: Checking user's group: cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local
2022-06-29T14:13:08.124992-05:00 info vmcad  t@139876657776384: Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: 
warning vmcad t@139686066431744: error code: 0x00000005
warning vmcad t@139686066431744: error code: 0x00000005
warning vmcad t@139686066431744: error code: 0x0000000

Environment

VMware vCenter Server 7.x 

VMware vCenter Server 8.x

Cause

Missing value cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local from under Bulltin-> CAAdmins

Resolution

1. Take powered-off snapshot of the vCenter Server Appliance VM. 
2. Log into the vCenter Server Appliance using JXplorer . Refer to kb : https://broadcomcms-software-agent.wolkenservicedesk.com/wolken/esd/knowledge-base-view/view-kb-article?articleNumber=345125
3. Manually add new member under Bulltin-> CAAdmins

  • cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local
  • cn=DCClients,cn=Builtin,dc=vsphere,dc=local



Additional Information



Powered by Wolken Software