To resolve this issue, replace the
STS_INTERNAL_SSL_CERT with the machine cert from the
MACHINE_SSL_CERT store.
Process to replace STS_INTERNAL_SSL_CERT with machine cert from MACHINE_SSL_CERT store:
- Check if the lookup certificate is expired by running this command:
openssl s_client -connect <PSC/VCSA-FQDN/IP>:7444 | less
- From the about output copy the contents which starts with "-----BEGIN CERTIFICATE-----" till the "-----END CERTIFICATE-----".
- Save this file as 7444-lookup.txt and go to that location and rename this file extension as 7444-lookup.crt
- Now open this 7444-lookup.crt file and check if the certificate is valid or expired.
- If its expired then follow the Step 2.
- Replace the expired 7444 certificate stored in the STS_INTERNAL_SSL_CERT with the machine cert from the MACHINE_SSL_CERT store. Implement the commands below as you see them one by one:
Appliance:
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /var/tmp/MachineSSL.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT > /var/tmp/MachineSSL.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > /var/tmp/sts_internal_backup.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT > /var/tmp/sts_internal_backup.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert /var/tmp/MachineSSL.crt --key /var/tmp/MachineSSL.key
Windows:
Open Command prompt as administrator and navigate to cd C:\Program Files\VMware\vCenter Server\vmafdd
vecs-cli.exe entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\MachineSSL.crt
vecs-cli.exe entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\MachineSSL.key
vecs-cli.exe entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\sts_internal_backup.crt
vecs-cli.exe entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output C:\Windows\Temp\sts_internal_backup.key
vecs-cli.exe entry delete --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT -y
vecs-cli.exe entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert C:\Windows\Temp\MachineSSL.crt --key C:\Windows\Temp\MachineSSL.key
- Restarted the vCenter Services.
- service-control --stop --all
- service-control --start --all
- Re-run the openssl mentioned in Step #1 to validate if the lookup service certificate is valid.
- And then retry the VC upgrade.
- If Lookup service certificate is valid and you are facing the same issue, check certificates in VECS as well as SSO endpoints for possible expiration and replace them.
- Check if the lookup service is valid by running the below command again
- openssl s_client -connect <PSC/VCSA-FQDN/IP>:7444 | less
If this article didn’t solve your issue: