"The SSL certificate of STS service cannot be verified" "KeyUsage does not allow key encipherment" error during vCenter Server Appliance 6.7 Upgrade
Article ID: 345459
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
Note: vCenter Server Appliance - Firstboot logs are located in the /var/log/firstboot directory.
KeyUsage does not allow key encipherment
Note: vCenter Server Appliance - Each service will have it's own folder in the /var/log/vmware/ directory. The vmware-sts-idmd logs are located in the /var/log/vmware/sso folder.
- Upgrading vCenter Server Appliance 6.7 fails
- In the firstbootStatus.json file, you the error:
"failedSteps": "vmidentity-firstboot"
- In the vmidentity-firstboot.py_####_stdout.log file, you the error:
The SSL certificate of STS service cannot be verified
Note: vCenter Server Appliance - Firstboot logs are located in the /var/log/firstboot directory.
- In the vmware-sts-idmd.log file, you the error:
KeyUsage does not allow key encipherment
Note: vCenter Server Appliance - Each service will have it's own folder in the /var/log/vmware/ directory. The vmware-sts-idmd logs are located in the /var/log/vmware/sso folder.
To collect a log bundle or review log files:
Environment
VMware vCenter Server Appliance 6.7.x
Cause
This issue occurs because vCenter Server 6.7 enforces the Key Encipherment parameter under Key Usages on SSL certificates imported into vCenter Server.
Notes:
Notes:
- You may experience the same symptom and the same logs when upgrading windows vcenter server 6.7, In this case all certificates may have the key Encipherment parameter under Key Usages
- The issue here was due to a expired SSL certificate in the STS_INTERNAL_SSL_CERT store. Replaced this cert with the current MACHINE_SSL cert and key which will resolved this problem .
Resolution
To resolve this issue, ensure that all imported certificates into vCenter Server contain the the Key Encipherment parameter under Key Usages.
For more details on:
For more details on:
- Certificate requirements, see Certificate Requirements for Different Solution Paths
- Replacing certificates refer to Replacing default certificates with CA signed SSL certificates in vSphere 6.x
Additional Information
Feedback
Yes
No
Powered by
