ERROR certificate-manager 'lstool reregister' failed: 1 when replacing SSL certificates in vCenter
search cancel

ERROR certificate-manager 'lstool reregister' failed: 1 when replacing SSL certificates in vCenter

book

Article ID: 319475

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
  • You're replacing SSL certificates in vCenter and it fails and rolls back with messages similar to
Get site nameCompleted [Reset Machine SSL Cert...]
Lookup all services
Get service sso-site:1a2b3c4d-5e6f-7g8h-9a10-b11c12d13e14
Update service sso-site:1a2b3c4d-5e6f-7g8h-9a10-b11c12d13e14; spec: /tmp/svcspec_ZCQFXg
Status : 0% Completed [Reset operation failed]
please see /var/log/vmware/vmcad/certificate-manager.log for more information.
 
  • In /certificate-manager.log you can read messages similar to
YYYY-MM-DDTHH:MM:SS.Z ERROR certificate-manager 'lstool reregister' failed: 1
YYYY-MM-DDTHH:MM:SS.Z ERROR certificate-manager please see /var/log/vmware/vmcad/certificate-manager.log for more information.


Environment

VMware vCenter Server Appliance 

Cause

This issue is caused by one or more of the following:
 
  1. The STS (Security Token Service) certificate is expired. The Certificate Manager Tool needs this certificate to be valid in order to be able to work (and be able to manage the certificates that are needed to be renewed/changed)
  2. There is an SSL trust mismatch on the STS service registrations in lookup service (sso:sts, sso:groupcheck, sso:admin, cs.identity).

Resolution

To check if the issue is caused by an expired STS certificate, please follow Checking Expiration of STS Certificate on vCenter Servers

To check if the issue is caused by an SSL trust mismatch, please run lsdoctor -l (report function).  For instructions and more information, see Using the 'lsdoctor' Tool

Powered by Wolken Software