VAMI does not display the new certificate after replacing the MACHINE_SSL_CERT on vCenter Server Appliance
search cancel

VAMI does not display the new certificate after replacing the MACHINE_SSL_CERT on vCenter Server Appliance

book

Article ID: 320801

calendar_today

Updated On: 01-21-2025

Products

VMware vCenter Server

Issue/Introduction

After replacing the MACHINE_SSL certificate on the vCenter Server Appliance, the VMware Appliance Management Interface (VAMI) accessed through Port 5480 (https://vcenter_fqdn:5480), does not display the new certificate.

Environment

VMware vCenter Server Appliance 6.x
VMware vCenter Server Appliance 7.x
VMware vCenter Server Appliance 8.x

Resolution

This issue is resolved in vCenter Server 7.x and 8.x. The lighttpd service is restarted as part of applmgmt service restart during the certificate replacement process.

Incase, the certificate is not reflecting, you can manually restart the service by the below command depending on the vCenter Server version.

vCenter 8.0 U3 Onwards

Login to vCenter via CLI and restart the service cap-lighttpd

systemctl restart cap-lighttpd.service

vCenter 7.0 and until 8.0 U2

Login to vCenter via CLI and restart the service vami-lighttp

service vami-lighttp restart
 

 vCenter 6.5 & 6.7

  • Log in to the vCenter Server Appliance through SSH.
  • Type shell and press Enter
  • Restart the VAMI Service to automatically update the certificate with Machine SSL Certificate

    /sbin/service vami-lighttp restart

  • Follow below steps to manually update the configuration files if VAMI is still not presenting the Certificate Chain

    • Copy CA certificate chain to appliance folder as ca.crt. If Machine SSL is issued by Custom Certificate Authority, cachain.cer should be a chain of all intermediate CA and Root CA certificates.

      # cp cachain.cer /etc/applmgmt/appliance/ca.crt

    • Copy the VMCA certificate chain using below command if the certificate is issued by VMCA

      # cp /var/lib/vmware/vmca/root.cer /etc/applmgmt/appliance/ca.crt

    • Open the /opt/vmware/etc/lighttpd/lighttpd.conf file using a text editor and add the entry at the end of file or after line "ssl.engine= "enable""::

      ssl.ca-file="/etc/applmgmt/appliance/ca.crt"


      Note
      : If you are using VAMI Backup / Restore functionality, restore operation will fail due to the extra entry mentioned in above Step added in the configuration file. As by default VAMI backup will not take backup of file /etc/applmgmt/appliance/ca.crt and due to that restore operation will fail when try to load the configuration parameter ssl.ca-file. To avoid this failure, follow below additional step:

      vi /etc/vmware/backup/manifests/applmgmt.json

      Add the entry "/etc/applmgmt/appliance/ca.crt" in locations list

      Modifications are highlighted in bold, please ensure to include the comma delimiter at the end of line above the one added to ensure the file is in a valid json format

      {
        "component": "Appliance Management",
        "parts": [
           {
              "locations": [
                "/etc/applmgmt/appliance/appliance.conf",
                "/etc/applmgmt/appliance/authorization.conf",
                "/etc/applmgmt/firstboot/applmgmt.properties",
                "/etc/vmware/appliance/dcui.cfg",
                "/etc/applmgmt/appliance/update.conf",
                "/etc/applmgmt/appliance/ca.crt"
              ]
           }
        ],
        "deploymentType": ["all"]
      }

    • Restart the VAMI service:

      /sbin/service vami-lighttp restart