Deploying NSX VIBs fails on the ESXi host after changing the vCenter Server certificates
search cancel

Deploying NSX VIBs fails on the ESXi host after changing the vCenter Server certificates

book

Article ID: 344898

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:
After changing the vCenter Server certificates in a VMware NSX for vSphere 6.2.x environment, , you experience these symptoms:

  • Deploying the NSX VIBs on the ESXi host fails
  • The WCP service fails to start on vCenter Server 7.0
  • Running the show log command on the NSX Manager console reports entries similar to:

    GMT ERROR taskScheduler-15 InstallTask:190 - error while creating eam agency for deployment com.vmware.vim.binding.eam.fault.NoConnectionToVCenter: inherited from com.vmware.vim.binding.eam.fault.EamRuntimeFault: inherited from com.vmware.vim.binding.eam.fault.NoConnectionToVCenter

    For more information, see Collecting diagnostic information for VMware NSX for vSphere 6.x (2074678).

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.



Environment

VMware NSX for vSphere 6.2.x

Cause

This issue occurs because the EAM agent fails to log in to the vCenter Server due to new certificates.

Resolution

To resolve this issue, follow the below procedure.

 
On vCenter Server for Windows:
  1. Connect to vCenter Server through a Console or Remote desktop session.
  2. Open an elevated command prompt.
  3. Create a temporary directory named c:\certificate.
  4. Run this command to retrieve the vpxd-extension solution user certificate and key:

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output c:\certificate\vpxd-extension.crt

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output c:\certificate\vpxd-extension.key

     
  5. Navigate to C:\Program Files\VMware\vCenter Server\vpxd\scripts:

    cd C:\Program Files\VMware\vCenter Server\vpxd\scripts

    Note: The path listed is for a default install of vCenter Server. If you have customized the install location of vCenter Server, change the directory accordingly.
     
  6. Run this command to update the extension's certificate with vCenter Server:

    "%VMWARE_PYTHON_BIN%" updateExtensionCertInVC.py -e com.vmware.vim.eam -c C:\Certificate\vpxd-extension.crt -k C:\Certificate\vpxd-extension.key -s localhost -u Administrator@domain.local
Note: If this produces the error "Hostname mismatch, certificate is not valid for 'localhost'", change 'localhost' to the FQDN or IP of the vCenter. The process is checking this value against the SAN entries of the certificate.
Note: The default user and domain is [email protected]. If this was changed during configuration, change the domain to match your environment.
 
  1. When prompted, enter the [email protected] password.
  2. Navigate to the C:\Program Files\VMware\vCenter Server\bin folder:

    cd C:\Program Files\VMware\vCenter Server\bin
     
  3. Restart the VMware ESX Manager service with these commands:


    For more information on managing service in the vCenter Server Appliance, see Stopping, starting, or restarting VMware vCenter Server Appliance 6.0 services (2109887).
    • service-control --stop EsxAgentManager
    • service-control --start EsxAgentManager
 
On the vCenter Server Appliance:
  1. Log in to the vCenter Server Appliance using SSH.
  2. Run this command to enable access the Bash shell:

    shell.set --enabled true
     
  3. Type shell and press Enter.
  4. Run this command to retrieve the vpxd-extension solution user certificate and key:

    mkdir /certificate

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key

     
  5. Run this command to update the extension's certificate with vCenter Server.

    python /usr/lib/vmware-vpx/scripts/updateExtensionCertInVC.py -e com.vmware.vim.eam -c /certificate/vpxd-extension.crt -k /certificate/vpxd-extension.key -s localhost -u Administrator@domain.local
Note: If this produces the error "Hostname mismatch, certificate is not valid for 'localhost'", change 'localhost' to the FQDN or IP of the vCenter. The process is checking this value against the SAN entries of the certificate.
Note: The default user and domain is [email protected]. If this was changed during configuration, change the domain to match your environment. When prompted, type in the Administrator@domain.local password.
 
  1. Restart the VMware ESX Manager service with these commands:

    For more information on managing service in the vCenter Server, see Stopping, starting, or restarting VMware vCenter Server 6.0 services (2109881).
    • service-control --stop vmware-eam
    • service-control --start vmware-eam
       



Additional Information