• Trying to login to vCenter VAMI or SSH using local SSO account "administrator@vsphere.local" get below error.
  • 
• In /var/log/vmware/applmgmt/applmgmt.log you might see below log snippets.

2024-09-18T16:16:02 PM AEST [44966]DEBUG:vmware.appliance.vapi.auth:Requesting bearer token for 'administrator@vsphere.local'
2024-09-18T16:18:42 PM AEST [44966]ERROR:vmware.appliance.vapi.auth:Could not parse HOK Token
Traceback (most recent call last):
  File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 507, in validate
    self.validate_certificate()
  File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication_sso.py", line 700, in validate_certificate
    'One or more certificates cannot be verified.')
vmware.appliance.extensions.authentication.authentication_sso.AuthenticationError: One or more certificates cannot be verified.

VMware vCenter Server 7.x

VMware vCenter Server 8.x

This could occur due to expired STS certificate or multiple STS certs in STS certificate store due to which STS couldn't phrase the token for the user.

• Take snapshot of VC, if VC is in ELM make sure to take offline snapshot of all VCs.
• SSH to vCenter using root credentials.
• Check STS certificate using Checking Expiration of STS Certificate on vCenter Servers 
• If you see STS certificate as expired or more than 1 STS cert, refer below screenshot as a reference. 
  • 

• Renew the STS cert using steps in "Signing certificate is not valid" error in vCenter Server Appliance