vCenter Server login failure or services fail to start due to expired certificates
search cancel

vCenter Server login failure or services fail to start due to expired certificates

book

Article ID: 344201

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

  • Unable to log in to vCenter Server — the vSphere Client UI hangs or spins indefinitely after entering credentials
  • 503 Service Unavailable error when accessing vCenter Server
  • no healthy upstream error when accessing vCenter Server
  • [500] An error occurred while fetching identity providers error on the login page

Additional Symptoms Reported

  • 503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x...] _serverNamespace = / action = Allow _pipeName =/var/run/vmware/vpxd-webserver-pipe)
  • [400] An error occurred while sending an authentication request to the vCenter Single Sign-On server
  • Signing certificate is not valid
  • Warnings in the vCenter interface show that certificates are expiring soon
  • Services such as vpxd, vpxd-svcs, etc, fail to start after vCenter reboot
  • vCert Option 1 shows expired certificates such as Machine certificate, Solution User certificates, CA certificate(s), SMS certificates, data-encipherment certificate, and/or STS certificates.
  • VDT output shows expired certificates.

 

Environment

  • vCenter 6.x
  • vCenter 7.x
  • vCenter 8.x
  • vCenter 9.x

Cause

One or more required vCenter Server certificates have expired, preventing services from starting or authenticating properly.

Resolution

Prerequisites

  • Caution: Before proceeding, take a backup or create a powered-off virtual machine snapshot of the vCenter Server.
  • For standalone vCenter: Take a snapshot of the vCenter VM (recommended from the host).
  • For Enhanced Linked Mode (ELM): Power off all linked vCenter Servers simultaneously and take a snapshot of each node (recommended from the hosts). See VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice.
  • For vCenter HA (VCHA): Remove (destroy) the VCHA configuration before taking snapshots.

Step 1: Verify certificate expiration

  1. Connect to the vCenter Server Appliance via SSH as root.
  2. Check for expired certificates:

    Run the following command to check certificate expiration dates:

     for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

    OR

    Run vCert:

    Option 1: Check current certificate status to identify expired certificates.

    Review the output. If any "Not After" dates are in the past, or vCert output says Expired, certificates have expired.
  3. Additionally, check the STS certificate expiration. See Checking Expiration of STS Certificate on vCenter Server.

Step 2: Replace expired certificates

For vCenter 7.x, 8.x, and 9.x -

Use the vCert tool to identify which certificates are expired and replace them:

  1. Download and install vCert per the instructions in vCert - Scripted vCenter Expired Certificate Replacement.

  2. Run vCert and select Option 1: Check current certificate status to identify expired certificates. Based on the results:

    1. If multiple certificate types have expired, select Option 6: Reset all certificates with VMCA-signed certificates.
    2. If only specific certificates have expired, use Option 3: Manage Certificates to replace only the affected certificates, with the following options:

      1. Machine SSL certificate                                
2. Solution User certificates                             
3. CA certificates in VMware Directory
4. CA certificates in VECS Directory
5. SMS certificates                                             
6. Data Encipherment certificate                      
7. vCenter Extension thumbprints
8. STS signing certificates                                 
9. VMCA certificate
10. Smart Card CA certificates
11. LDAPS Identity Source certificates
       

    Note: Due to known issues with the built-in certificate-manager tool in vCenter 8.0, the vCert tool is the recommended method for expired certificate replacement.

For vCenter 6.x (Windows or Appliance) -

Use the certificate-manager utility:

  1. vCenter Server Appliance: /usr/lib/vmware-vmca/bin/certificate-manager
  2. Windows vCenter Server: C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
  3. Select Option 8 (Reset all Certificates) to regenerate all certificates with VMCA-signed certificates.
  4. For detailed steps, see Regenerate vSphere 6.x, 7.x, and 8.0 certificates using self-signed VMCA.

Step 3: Verify resolution

  1. Restart all vCenter services:   service-control --stop --all && service-control --start --all
  2. Confirm all services start successfully:   service-control --status --all
  3. Access the vSphere Client and verify you can log in.

Additional Information

Impact/Risks:

  • If issues occur during certificate replacement, the vCenter Server may become inaccessible. Ensure you have a valid snapshot before proceeding.
  • The VMDIR LDAP directory may also fail to update properly, so it may need to be repaired. See Using the 'lsdoctor' Tool

Related Articles:

VMware Docs: 

Contact Broadcom support

Powered by Wolken Software