Symptoms:

• Unable to log in to vCenter Server — the vSphere Client UI hangs or spins indefinitely after entering credentials
• 503 Service Unavailable error when accessing vCenter Server
• no healthy upstream error when accessing vCenter Server
• [500] An error occurred while fetching identity providers error on the login page

Additional Symptoms Reported

• vCenter 6.x
• vCenter 7.x
• vCenter 8.x
• vCenter 9.x

Prerequisites

• Caution: Before proceeding, take a backup or create a powered-off virtual machine snapshot of the vCenter Server.
• For standalone vCenter: Take a snapshot of the vCenter VM (recommended from the host).
• For Enhanced Linked Mode (ELM): Power off all linked vCenter Servers simultaneously and take a snapshot of each node (recommended from the hosts). See VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice.
• For vCenter HA (VCHA): Remove (destroy) the VCHA configuration before taking snapshots.

Step 1: Verify certificate expiration

1. Connect to the vCenter Server Appliance via SSH as root.
2. Run the following command to check certificate expiration dates:

    for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
   

   Review the output. If any "Not After" dates are in the past, certificates have expired.
3. Additionally, check the STS certificate expiration. See Checking Expiration of STS Certificate on vCenter Server.

Step 2: Replace expired certificates

For vCenter 7.x, 8.x, and 9.x -

Use the vCert tool to identify which certificates are expired and replace them:

1. Download and install vCert per the instructions in vCert - Scripted vCenter Expired Certificate Replacement.

2. Run vCert and select Option 1: Check current certificate status to identify expired certificates. Based on the results:

   1. If multiple certificate types have expired, select Option 6: Reset all certificates with VMCA-signed certificates.
   2. If only specific certificates have expired, use Option 3: Manage Certificates to replace only the affected certificates.

   Note: Due to known issues with the built-in certificate-manager tool in vCenter 8.0, the vCert tool is the recommended method for expired certificate replacement.

For vCenter 6.x (Windows or Appliance) -

Use the certificate-manager utility:

1. vCenter Server Appliance: /usr/lib/vmware-vmca/bin/certificate-manager
2. Windows vCenter Server: C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
3. Select Option 8 (Reset all Certificates) to regenerate all certificates with VMCA-signed certificates.
4. For detailed steps, see Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA.

Step 3: Verify resolution

1. Restart all vCenter services:   service-control --stop --all && service-control --start --all
2. Confirm all services start successfully:   service-control --status --all
3. Access the vSphere Client and verify you can log in.

Related Articles:

• vCert - Scripted vCenter Expired Certificate Replacement   
• Checking the STS certificate expiration and replacing expired STS certificates on vCenter Servers   
• Determining expired SSL certificates in vCenter Server     
• "Signing certificate is not valid" or "No healthy upstream" error in vCenter Server Appliance       
• Error "503 Service Unavailable" when attempting to access vCenter Server vSphere Client    

• vSphere Security Certificates
• Use Custom Certificates with vSphere

Impact/Risks:

• If issues occur during certificate replacement, the vCenter Server may become inaccessible. Ensure you have a valid snapshot before proceeding.
• The VMDIR LDAP directory may also fail to update properly, so it may need to be repaired. See Using the 'lsdoctor' Tool