Cannot update an expired vCenter Server certificate
search cancel

Cannot update an expired vCenter Server certificate

book

Article ID: 336114

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • When using the Certificate Automation Tool, you see these error:

    Warning: Different certificates are being used for SSL and Solution users.
    Manual intervention is required. For details, see KB 2048202.
    After performing the steps described in the KB article, continue with this operation.
     
    Do you want to continue?
     
  • When running ssolscli.cmd listServices command to identify service details for the configuration, you see entries similar to:

    Anonymous Execution

    Operation Failed: 100

    For more information, see step 4 in Validating and correcting errors for an upgraded VMware vCenter Server using the SSL Certificate Automation Tool (2048202).
     
  • In the lookupserver.log file, you see entries similar to:

    inherited from com.vmware.vim.binding.lookup.SearchCriteria@780d5011) because of Invalid certificate
    java.lang.IllegalArgumentException: Invalid certificate

Environment

VMware vCenter Server 5.1.x

Cause

This issue occurs when a service endpoint has an expired trust while attempting to register with the Lookup Service.

Resolution

This is a known issue affecting VMware vCenter Server 5.1.x.

To workaround this issue:
  1. Stop all VMware Services. For more information, see Stopping, starting, or restarting VMware vCenter Server services (1003895).
  2. Back up the vCenter Server Single Sign-On database.
  3. Run this SQL query in the vCenter Server Single Sign-On database to list all registered services:

    SELECT URI, PROTOCOL, SERVICE_ID FROM LS_SERVICE_ENDPOINT;
     
  4. Identify which service has the expired certificate.

    Note: You can identify the VMware VirtualCenter service by locating the URI field ending in:443/sdk
     
  5. Run this SQL command to reset the SSL trust of the expired service:

    UPDATE LS_SERVICE_ENDPOINT SET SSL_TRUST_ANCHOR = null WHERE SERVICE_ID = ExpiredServiceID

  6. Start all VMware Services. For more information, see Stopping, starting, or restarting VMware vCenter Server services (1003895).
  7. Continue performing the procedure in Validating and correcting errors for an upgraded VMware vCenter Server using the SSL Certificate Automation Tool (2048202).

    Note: Before proceeding to step 21, take a backup of the folder, located at c:\programdata\vmware\virtual center\ssl and replace the contents with the new certificate. You cannot register vCenter Server with Single Sign-On if the current certificates are expired.

Additional Information

Powered by Wolken Software