Certificate regeneration fails with the error code: 382312514 after migrating the vCenter Server 6.0 from an Embedded PSC to External PSC
search cancel

Certificate regeneration fails with the error code: 382312514 after migrating the vCenter Server 6.0 from an Embedded PSC to External PSC

book

Article ID: 324827

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
After migrating vCenter Server 6.0 from an Embedded Platform Services Controller (PSC) to External Platform Services Controller, you experience these symptoms:
  • You are unable to regenerate SSL certificates for the Machine SSL or the Solution Users on the vCenter Server.
  • In the certificate-manager utility, you observe:
Error: 382312514, VMCAGetSignedCertificatePrivate() failedStatus : Failed
Error Code : 382312514
Error Message : Failed to connect to the remote host, reason = rpc_s_connect_rejected (0x16c9a042).
Status : 0% Completed [Operation failed, performing automatic rollback]
  • In the certificate-manager.log (located at: /var/log/vmware/vmcad/ or C:\ProgramData\VMware\vCenterServer\logs\vmca\) file, you see entries similar to:

    YYYY-DD-MMT<time>Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmca/bin/certool', '--server=localhost', '--gencert', '--privkey=/storage/certmanager/MACHINE_SSL_CERT.priv', '--cert=/storage/certmanager/MACHINE_SSL_CERT.crt', '--config=/var/tmp/vmware/certool.cfg']</time>

    YYYY-DD-MMT<time>Z INFO certificate-manager Command output :-</time>
    Using config file : /var/tmp/vmware/certool.cfg
    Error: 382312514, VMCAGetSignedCertificatePrivate() failedStatus : Failed
    Error Code : 382312514
    Error Message : Failed to connect to the remote host, reason = rpc_s_connect_rejected (0x16c9a042).

    YYYY-DD-MMT<time>Z ERROR certificate-manager Using config file : /var/tmp/vmware/certool.cfg</time>
    Error: 382312514, VMCAGetSignedCertificatePrivate() failedStatus : Failed
    Error Code : 382312514
    Error Message : Failed to connect to the remote host, reason = rpc_s_connect_rejected (0x16c9a042)

    Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x

Cause

This issue occurs because vCenter Server still contains the decommissioned VMCA's Root certificate, causing the certificate-manager utility to believe it is still an embedded node.

Resolution

This issue is resolved in VMware vCenter Server 6.0 Update 3, available at VMware Downloads.

To work around this issue if you do not want to upgrade, rename the old root.cer from the decommissioned VMCA on the vCenter Server that was promoted to an external Platform Services Controller:
 
For the vCenter Server Appliance:
  1. Connect to the vCenter Server Appliance with an SSH session.
  2. Provide the root user user name and password when prompted.
  3. Run this command to enable the Bash shell:

    shell.set --enable True

  4. Run this command to access the Bash shell:

    shell

  5. Run this command to rename the current root.cer to root.bkp:

    mv /var/lib/vmware/vmca/root.cer /var/lib/vmware/vmca/root.bkp

  6. Attempt the certificate regeneration process.
 
For the vCenter Server for Windows:
  1. Remote desktop into the Windows server.
  2. Open a elevated command prompt.
  3. Run this command to rename the current root.cer to root.bkp:

    ren C:\ProgramData\VMware\vCenterServer\data\vmca\root.cer root.bak

  4. Attempt the certificate regeneration process.



Additional Information

Powered by Wolken Software