"Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT", Certificate Replacement with Custom Certificate fails on 6.x/7.x
search cancel

"Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT", Certificate Replacement with Custom Certificate fails on 6.x/7.x

book

Article ID: 330420

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • MACHINE SSL Certificate replacement with Custom Certificate fails

  • Certificate Manager logs will show errors similar to below entries:

2019-06-18T15:28:44.830Z ERROR certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.

2019-06-18T15:28:44.830Z ERROR certificate-manager {

  "resolution": null,

  "problemId": null,

  "componentKey": null,

  "detail": [

    {

      "id": "install.ciscommon.command.errinvoke",

      "translatable": "An error occurred while invoking external command : '%(0)s'",

      "localized": "An error occurred while invoking external command : ''",

      "args": 

    "Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT."

  ]

Log location:

vCenter Server Appliance - /var/log/vmware/vmcad/certificate-manager.log

Windows vCenter Server - "%ProgramData%\VMware\vCenterServer\logs\vmca\certificate-manager.log"


Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.


Environment

VMware vCenter Server 6.5.x
VMware vCenter Server 7.0.x
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.0.x

Cause

This issue primarily occurs if there is a mismatch in the Certificate and the Private Key used during certificate replacement.

Resolution

To resolve this issue, verify the MD5 check against the Private Key and the Certificate files, both should match if the Private Key belongs to the same certificate.

Use below commands to run MD5 check 

  • openssl x509 -in <path to the Certificate file> -noout -modulus | openssl md5

  • openssl rsa -in <path to the Private Key file> -noout -modulus | openssl md5
On 7.0 needs to add the non-fips-allow  
  • ​​​​​​​openssl rsa -in <path to the Private Key file> -noout -modulus | openssl md5 -non-fips-allow

 Example: 
 [ ~/certs ]# openssl x509 -in ./FullChain.cer -noout -modulus | openssl md5
(stdin)= 55d84795791549fe72fc498c69f0dd2d
 [ ~/certs ]# openssl rsa -in ./vmca_issued_key.key -noout -modulus | openssl md5
(stdin)= 6b84b1c62e91dbfc6b9f9efa5d34fb86

If the output string doesn't match then it means the key and certificate are not a pair hence you would have to use the correct Private Key file during Certificate Replacement or regenerate the Certificate by creating new Certificate Signing Request and Private Key,  refer to Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate.

Note: Please contact VMware Technical Support to review the logs and find out the reason for failure, if the hash values are matching and still you are observing a similar error.


Additional Information

Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate

How to file a Support Request in Customer Connect

Powered by Wolken Software