Renewing Certificates Using Certificate Manager Fails with VMCAAddRootCertificatePrivate() failedError: 5, Failed to Add Root Certificate
search cancel

Renewing Certificates Using Certificate Manager Fails with VMCAAddRootCertificatePrivate() failedError: 5, Failed to Add Root Certificate

book

Article ID: 319423

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Renewing Certificates Using Certificate Manager Fails with  
    VMCAAddRootCertificatePrivate() failedError: 5, Failed to Add Root Certificate

     

  • Unable to renew certificates with certificate manager.
  • You see below error the /var/tmp/vmware/root.cfg 
    Error: 5, VMCAAddRootCertificatePrivate() failedError: 5, Failed to add root certificate
Status : Failed
Error Code : 5
Error Message : Operation failed with error = ERROR_ACCESS_DENIED (5)

 ERROR certificate-manager {
    "detail": [
        {
            "args": [
                "Using config file : /var/tmp/vmware/root.cfg\nError: 5, VMCAAddRootCertificatePrivate() failedError: 5, Failed to add root certificate\nStatus : Failed\nError Code : 5\nError Message : Operation failed with error = ERROR_ACCESS_DENIED (5)\n"
            ],
            "id": "install.ciscommon.command.errinvoke",
            "translatable": "An error occurred while invoking external command : '%(0)s'",
            "localized": "An error occurred while invoking external command : 'Using config file : /var/tmp/vmware/root.cfg\nError: 5, VMCAAddRootCertificatePrivate() failedError: 5, Failed to add root certificate\nStatus : Failed\nError Code : 5\nError Message : Operation failed with error = ERROR_ACCESS_DENIED (5)\n'"
        },
        "Error while generating root cert using selfca command."
    ],
    "problemId": null,
    "componentKey": null,
    "resolution": null

     

  • From /var/log/vmware/vmcadvmcad-syslog.log: 
    info vmcad  t@139876657776384: Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: 

info vmcad  t@139876657776384: Checking user's group: cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local
2022-06-29T14:13:08.124992-05:00 info vmcad  t@139876657776384: Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: 
warning vmcad t@139686066431744: error code: 0x00000005
warning vmcad t@139686066431744: error code: 0x00000005
warning vmcad t@139686066431744: error code: 0x0000000



Environment

VMware vCenter Server 7.x 

VMware vCenter Server 8.x

Cause

Missing value cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local from under Bulltin-> CAAdmins

Resolution

  1. Take powered-off snapshot of the vCenter Server Appliance VM.
  2. Log into the vCenter Server Appliance using JXplorer . Refer to KB:Using JXplorer to connect to the vSphere Single Sign-on
  3. Manually add new member under Bulltin-> CAAdmins
    • cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local
    • cn=DCClients,cn=Builtin,dc=vsphere,dc=local




Additional Information



Powered by Wolken Software