"An error occurred while starting 'vmonapi' Failed to start VMware Service lifecycle Manager API Service." error upgrading to vCenter Server 6.5
Article ID: 328096
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
- Upgrading to vCenter Server 6.5 fails with the error:
An error occurred while starting 'vmonapi'
Failed to start VMware Service lifecycle Manager API Service.
- In the vMon.log (Windows vCenter Server) or vmon-syslog.log (vCenter Server Appliance), there are messages that pertain to a mismatch with the hostnames and/or IP address in the SSO Certificate
warning vmon Service vmonapi pre-start command's stderr: Failed to start vmonapi service. Exception : hostname u'HOSTNAME' doesn't match 'VCENTER_IP'
Note:- The vMon.log log file is found in the VMware-VCS-logs-<year><month><day><hour><minute><second>.zip file created on on the vCenter Server after a failed upgrade.
- The vmon-syslog.log file will be located in /var/log/vmware/vmon of the failed appliance.
Cause
This happens when the Primary Network ID (PNID) is not present in the Subject Alternative Name (SAN) field of the SSL certificates that vmonapi downloads from Single Sign-On. The PNID is the FQDN or IP address used during the install in vCenter 6.x.
Resolution
This issue is resolved in vCenter server 6.5 Patch 1, available at VMware Downloads.
To resolve this when migrating from vCenter Server 6.0 to vCenter Server 6.5:
vCenter Server 6.0
To resolve this when upgrading from vCenter 6.0, ensure the FQDN and IP is present in the SAN field of the SSO Lookup Service certificate.
To replace the Lookup Service certificate in vCenter Server 6.5, see Replacing the Lookup Service SSL certificate on a Platform Services Controller 6.0 (2118939)
To resolve this when upgrading from vCenter Server 5.5, ensure the FQDN and IP is present in the SAN field of the Single Sign-On Certificate in vCenter Server 5.5.
vCenter Server 5.5 for Windows
Another option is to update the certificates manually before upgrade. See Deploying and using the SSL Certificate Automation Tool 5.5 (2057340) for instructions on using the SSL automation tool to accomplish this.
To re-generate a new default SSO Certificate, use the following steps. If using CA Signed Certificates, follow the process as per Implementing CA signed SSL certificates with vSphere 5.x (2034833):
- Backup the ssoserver* files from C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf.
- Open an elevated command prompt and run this command to create a temporary directory to store files during generation:
mkdir C:\ssl
- Using a text editor, create a file C:\ssl\certool.cfg file using the below template and provide the custom details pertaining to your environment and save the file. Make sure that the commonName and SubjectAltName both contain the PNID (FQDN)
notepad C:\ssl\certool.cfg
- Using the following template as an example.
Note: The values that will usually differ are subjectAltName and the entries under
- Run this command to generate a new certificate request and private key for the Lookup Service:
"C:\Program Files\VMware\CIS\openSSL\openssl.exe" req -new -nodes -out C:\ssl\ssoserver.csr -newkey rsa:2048 -keyout C:\ssl\ssoserver.key -config C:\ssl\certool.cfg
- Run this command to generate a new certificate for the Lookup Service using the previously generated private key and certool.cfg file:
"C:\Program Files\VMware\CIS\openSSL\openssl.exe" x509 -req -days 3650 -sha256 -in C:\ssl\ssoserver.csr -out C:\ssl\ssoserver.crt -CA "C:\ProgramData\VMware\CIS\data\vmca\root.cer" -CAkey "C:\ProgramData\VMware\CIS\data\vmca\privatekey.pem" -extensions v3_req -CAcreateserial -extfile C:\ssl\certool.cfg
- Run this command to generate a .p12 file consisting of both the ssoserver.cer and ssoserver.key file:
"C:\Program Files\VMware\CIS\openSSL\openssl.exe" pkcs12 -export -in C:\ssl\ssoserver.crt -inkey C:\ssl\ssoserver.key -name "ssoserver" -passout pass:changeme -out C:\ssl\ssoserver.p12
Note: Do not modify the -passout value. This must remain as changeme. - Run this command to backup the existing ssoserver.p12 file:
copy "C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12" "C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12.backup"
- Run this command to replace the old ssoserver.p12 with the newly generated ssoserver.p12 file:
copy "C:\ssl\ssoserver.p12" "C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12"
- Stop the SSO Services in this order:
VMware Secure Token Service
VMware Identity Management Service
VMware Kdc Service
VMware Directory Service
VMware Certificate Service
- Start the SSO Services in this order:
VMware Certificate Service
VMware Directory Service
VMware Kdc Service
VMware Identity Management Service
VMware Secure Token Service
- Restart the vCenter Server services in this order:
Restart the VMware vCenter Inventory Service Restart the VMware VirtualCenter Server
Restart the VMware VirtualCenter Management Webservices
Restart the VMware vSphere Profile-Driven Storage Service
Restart the VMware vSphere Web Client
Restart the VMware Log Browser
vCenter Server Appliance 5.5
vCenter Server 6.0
To resolve this when upgrading from vCenter 6.0, ensure the FQDN and IP is present in the SAN field of the SSO Lookup Service certificate.
To replace the Lookup Service certificate in vCenter Server 6.0, see Replacing the Lookup Service SSL certificate on a Platform Services Controller 6.0 (2118939).
Additional Information
Feedback
Yes
No
Powered by
