VPXD fails to start when replacing Custom Signed Machine SSL Certificate
Article ID: 324569
Updated On:
Products
Issue/Introduction
The process to replace default signed certificates with custom signed fails when services are being restarted
The process fails on trying to start vpxd/sps services
Manually trying to start vpxd service fails straight away and we can see the following error in vmon logfile:
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:719)
err vmon <vpxd> Service pre-start command failed with exit code 1.
Cause
This issue occurs when there is an entry in the TRUSTED_ROOTS STORE with the same Subject Key Identifier as the Root/Intermediate of the Custom Signed MACHINE_SSL Certificate.
Resolution
Identify and remove expired Intermediate/Root certificates from the TRUSTED_ROOTS store that match the Subject Key Identifier (SKI) of the current custom Machine SSL certificate. Then, republish the valid chain.
Important:
Take a snapshot of the VCSA before performing any changes.
Steps to Follow:
-
Identify Subject Key Identifiers (SKI):
-
Note the SKI of the Intermediate and Root certificates that signed the custom Machine SSL certificate.
-
-
Review TRUSTED_ROOTS Store:
-
Navigate to the
TRUSTED_ROOTSstore and search for the SKIs identified above. -
Confirm that each SKI appears only once in the store.
-
-
Check Expiry:
-
Verify the expiration date of the matching certificates in
TRUSTED_ROOTS. -
If any certificate is expired, proceed with the cleanup process below.
-
Cleanup Process (for expired certs):
-
List Certificates in VMDIR:
-
Identify the Expired Certificate:
-
Locate the certificate matching the expired SKI.
-
-
Export the Expired Certificate:
-
Unpublish the Expired Certificate:
-
Publish the Valid Intermediate/Root Certificate:
Feedback
