Updating certificates with certificate-manager fails at 0%
search cancel

Updating certificates with certificate-manager fails at 0%

book

Article ID: 319878

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Following entries are seen in the logs:

YYYY-MM-DDThh:mm:ss.Z INFO certificate-manager Regenerating Root Cert using VMCA...
YYYY-MM-DDThh:mm:ss.Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmca/bin/certool', '--selfca', '--config', '/var/tmp/vmware/root.cfg', '--server', 'localhost']
YYYY-MM-DDThh:mm:ss.Z INFO certificate-manager Command output :- 
 Using config file : /var/tmp/vmware/root.cfg

YYYY-MM-DDThh:mm:ss.Z ERROR certificate-manager Using config file : /var/tmp/vmware/root.cfg

YYYY-MM-DDThh:mm:ss.Z ERROR certificate-manager {
    "detail": [
        {
            "id": "install.ciscommon.command.errinvoke",
            "translatable": "An error occurred while invoking external command : '%(0)s'",
            "args": [
                "Using config file : /var/tmp/vmware/root.cfg\n"
            ],
            "localized": "An error occurred while invoking external command : 'Using config file : /var/tmp/vmware/root.cfg\n'"
        },
        "Error while generating root cert using selfca command."
    ],
    "componentKey": null,
    "problemId": null,
    "resolution": null
}
YYYY-MM-DDThh:mm:ss.Z ERROR certificate-manager please see /var/log/vmware/vmcad/certificate-manager.log for more information.

 

Environment

  • VMware vCenter Server 7.0.x
  • VMware vCenter Server 8.0.x

Cause

When reconfiguring certool.cfg with certificate-manager, there is an extra line to fill in for certificate information that is not part of the default template:

Enter proper value for VMCA [Previous value : FQDN_OR_VC-IP] 

Resolution

Check the /usr/lib/vmware-vmca/share/config/certool.cfg to see if its content differs from the default parameters shown below:

#
# Template file for a CSR request
#
# Country is needed and has to be 2 characters
Country = US
Name    = CA
Organization = VMware
OrgUnit = VMware Engineering
State = California
Locality = Palo Alto
IPAddress = 127.0.0.1
Email = [email protected]
Hostname = server.acme.com

If there is an extra or missing line in the certool.cfg file, it has to be updated as per the above template. In the example below, certool.cfg file has one extra line(VMCA = 10.10.200.100)that needs to be removed.

Then use certificate-manager to perform the certificate update, and type N in [certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : ]

If the PNID, FQDN, and IP of the vCenter Server have been changed, type Y in [certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? :] and fill in the values.

Example below:

certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : N
Continue operation : Option[Y/N] ? : y

You are going to reset by regenerating Root Certificate and replace all certificates using VMCA
Continue operation : Option[Y/N] ? : y

Before the certificate update operation is executed, modify the root.cfg file in the /var/tmp/vmware/ directory by adding the required lines or removing the invalid lines to match the default parameters of the CSR template (shared above).

Also, check the content of the other .cfg files in this directory to see if they match the default parameters of the CSR template (shared above).

In the example below, root.cfg has an extra VMCA = 10.10.200.100, please delete it.

After all the cfg files in the /var/tmp/vmware/ directory have been repaired, continue the certificate update operation. At this point, the certificate manager will no longer report errors.

 

Additional Information

Impact/Risks:

Cannot use certificate-manager to renew certificates

Powered by Wolken Software