• Replacing custom certificate on vCenter Server fails while starting services if there are multiple CA certificate in the chain
• /var/log/vmware/vmcad/certificate-manager.log:

Service-control failed. Error: Failed to start services in profile ALL. RC=1, stderr=Failed to start sps, updatemgr, vsphere-ui, vstats, hvc, topologysvc, certificatemanagement, vpxd-svcs services. Error: Operation timed out

2024-06-11T09:09:39.125Z ERROR certificate-manager  None
2024-06-11T09:09:39.125Z ERROR certificate-manager  Error while starting services, please see service-control log for more details
2024-06-11T09:09:39.125Z ERROR certificate-manager  Error while performing Cert Replacement operation, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
2024-06-11T09:09:39.125Z ERROR certificate-manager  {
    "detail": [
        {
            "id": "install.ciscommon.command.errinvoke",
            "translatable": "An error occurred while invoking external command : '%(0)s'",
            "args": [
                "None"
            ],
            "localized": "An error occurred while invoking external command : 'None'"
        },
        "Error while starting services, please see service-control log for more details"
    ],
    "componentKey": null,
    "problemId": null,
    "resolution": null
}
2024-06-11T09:09:39.126Z INFO certificate-manager  Performing rollback of Root Cert...

• /var/log/vmware/vmon/vmon.log:

2024-06-11T08:44:07.475Z Wa(03) host-2258494 <vpxd-svcs> Service pre-start command's stderr: Traceback (most recent call last):
2024-06-11T08:44:07.475Z Wa(03)+ host-2258494   File "/usr/lib/vmware-vpxd-svcs/scripts/linux/pre-start/main.py", line 202, in <module>
2024-06-11T08:44:07.475Z Wa(03)+ host-2258494     endpoint_registration_runner()
2024-06-11T08:44:07.475Z Wa(03)+ host-2258494   File "/usr/lib/vmware-vpxd-svcs/scripts/linux/pre-start/main.py", line 90, in endpoint_registration_runner
2024-06-11T08:44:07.475Z Wa(03)+ host-2258494
2024-06-11T08:44:07.475Z Wa(03) host-2258494 <vpxd-svcs> Service pre-start command's stderr:     UpdateTaggingServiceGrpcEndpoint(logger).run()
2024-06-11T08:44:07.475Z Wa(03)+ host-2258494   File "/usr/lib/vmware-vpxd-svcs/scripts/linux/pre-start/tagging_grpc_registration.py", line 51, in run
2024-06-11T08:44:07.475Z Wa(03)+ host-2258494     self.update_endpoints()
2024-06-11T08:44:07.475Z Wa(03)+ host-2258494   File "/usr/lib/vmware-vpxd-svcs/scripts/linux/pre-start/tagging_grpc_registration.py", line 80, in update_endpoints
2024-06-11T08:44:07.475Z Wa(03)+ host-2258494
2024-06-11T08:44:07.475Z Wa(03) host-2258494 <vpxd-svcs> Service pre-start command's stderr:     ls_obj = LookupServiceClient(ls_url, retry_count=5)
2024-06-11T08:44:07.475Z Wa(03)+ host-2258494   File "/usr/lib/vmware/site-packages/cis/cisreglib.py", line 314, in __init__
2024-06-11T08:44:07.475Z Wa(03)+ host-2258494

2024-06-11T08:44:07.477Z Wa(03) host-2258494 <vpxd-svcs> Service pre-start command's stderr:     return self.sslsocket_class._create(
2024-06-11T08:44:07.477Z Wa(03)+ host-2258494   File "/usr/lib/python3.10/ssl.py", line 1070, in _create
2024-06-11T08:44:07.477Z Wa(03)+ host-2258494
2024-06-11T08:44:07.477Z Wa(03) host-2258494 <vpxd-svcs> Service pre-start command's stderr:     self.do_handshake()
2024-06-11T08:44:07.477Z Wa(03)+ host-2258494   File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
2024-06-11T08:44:07.477Z Wa(03)+ host-2258494
2024-06-11T08:44:07.477Z Wa(03) host-2258494 <vpxd-svcs> Service pre-start command's stderr:     self._sslobj.do_handshake()
2024-06-11T08:44:07.477Z Wa(03)+ host-2258494 ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: path length constraint exceeded (_ssl.c:997)

To resolve this issue:

• Regenerate the Custom CA Root certificate without the Path Length Constraint parameter.
• (Optional) In case of other Intermediate Certificates in the chain, ensure the same parameter is not present.