WCP service fails to start after replacing certificates from SDDC manager
search cancel

WCP service fails to start after replacing certificates from SDDC manager

book

Article ID: 369834

calendar_today

Updated On:

Products

VMware vCenter Server VMware SDDC Manager

Issue/Introduction

After configuring MSCA and replacing certificates from SDDC manager, WCP service on vCenter fails to come up. 

WCP log:

XXXX-XX-XX:51.178Z error wcp [vcmonitor/view_monitor.go:145] [opID=ViewMon-HostSystem] WaitForUpdates for object HostSystem and view ContainerView:session[522b54e4-a909-0fd6-ea43-b944350d1838]523caeee-0a72-21a1-523c-9f69b8bedcd6 return error. Err Post https://vcenter.example.com:443/sdk: dial tcp 127.0.0.1:443: connect: connection refused
XXXX-XX-XX:51.378Z error wcp [vcmonitor/view_monitor.go:145] [opID=ViewMon-ClusterComputeResource] WaitForUpdates for object ClusterComputeResource and view ContainerView:session[522b54e4-a909-0fd6-ea43-b944350d1838]52326fc7-6697-1de3-14d3-35c0fdc6ca4e return error. Err Post https://vcenter.example.com:443/sdk: dial tcp 127.0.0.1:443: connect: connection refused
XXXX-XX-XX:.459Z info wcp [cmd/main.go:236] Initializing Wcp Service. pid=64294 build=18545854 change=9186859
XXXX-XX-XX:.858Z error wcp [ssolib/ssoadmin.go:110] Failed to create ssoadmin client; VIM url: https://vcenter.example.com:443/lookupservice/sdk, err: Post https://vcenter.example.com:443/sso-adminserver/sdk: x509: unhandled critical extension
XXXX-XX-XX:.858Z fatal wcp [ssolib/ssoadmin.go:56] Failed to retrieve system domain

Environment

VMware vCenter Server 7.0.x
VMware vCenter Server 8.0.x

Cause

The VCSA certificate was signed by a Certificate Authority that uses a critical extension unsupported by Golang.

Resolution

  • Regenerate the certificate template that does not use the critical extension 2.5.29.30 – Name Constraints.
  • Replace the certificates again. 
Powered by Wolken Software