Unable to refresh/renew ESXi certificate from vCenter (for both VMCA and custom)
search cancel

Unable to refresh/renew ESXi certificate from vCenter (for both VMCA and custom)

book

Article ID: 377969

calendar_today

Updated On:

Products

VMware vCenter Server 7.0 VMware vCenter Server 8.0 VMware vSphere ESXi 7.0 VMware vSphere ESXi 8.0

Issue/Introduction

Symptoms:

  • ESXi certificate expired status on vCenter GUI, Expired certificate are showing in gui after vcenter patch/upgrade.
  • Right-click ESXi Host in Inventory > Certificates > Renew/Refresh Certificate not working, renew/refresh task showing completed
  • vpxd logs showing log events for ESXi host "unable to get local issuer certificate", "unable to verify the first certificate"
  • Host got disconnected due to the expired ESXi certificate after vcenter patch/upgrade, reconnect failed.

Environment

  • VMware vCenter Server 7.0.x
  • VMware vCenter Server 8.0.x
  • VMware vSphere ESXi 7.0.x
  • VMware vSphere ESXi 8.0.x

Cause

  • Vcenter upgraded/patched without renewing the expired certificates on ESXi.

Resolution

Option 1:

  • if vpxd.certmgmt.mode is  "thumbprint", please set vpxd.certmgmt.mode to "vmca" or "custom" then restart vpxd service.
  • Try to refresh/renew ESXi certificate via vCenter using Right-click ESXi Host in Inventory > Certificates > Renew/Refresh

Option 2:

Note: Use this method only when not able to renew/refresh ESXi certificate via vCenter using Right-Click ESXi Host in Inventory > Certificates > Refresh/Renew Certificate

  1. Disconnect the ESXi host from vCenter
  2. Regenerate certificates
    • For Custom certificates
      • Create CSR configuration file
        • cd /tmp
        • vi csr.cnf
        • Paste the following content in csr.cnf and Replace the code in Red with the details of the server that you are configuring (ask the customer to fill it).
          [ req ]
          default_bits = 2048
          default_keyfile = rui.key
          distinguished_name = req_distinguished_name
          encrypt_key = no
          prompt = no
          string_mask = nombstr
          req_extensions = v3_req

          [ v3_req ]
          basicConstraints = CA:FALSE
          keyUsage = digitalSignature, keyEncipherment, dataEncipherment
          extendedKeyUsage = serverAuth, clientAuth
          subjectAltName = DNS:"ServerName.domain.com", DNS:"ServerShortName", IP:"ServerIPAddress" 


          [ req_distinguished_name ]
          countryName = "Country (two-letter code alpha-2)"
          stateOrProvinceName = "State (two-letter code)"
          localityName = "City"
          0.organizationName = "Company Name"
          organizationalUnitName = "Company Unit Name"
          commonName = "server.domain.com"
        • wq! (Save and close the file).

      • Backup current key and certificate.
        • cd /etc/vmware/ssl/
        • mv rui.crt rui.crt.bak
        • mv rui.key rui.key.bak
      • Run the following command to generate key
        • cd /tmp
        • openssl genrsa -out rui.key 2048
      • Run the following command to generate CSR
        • cd /tmp
        • openssl req -new -nodes -out rui.csr -keyout rui.key -config csr.cnf
      • Give the .csr and .key to the customer to generate .crt file
      • Rename .crt file to rui.crt and move it to /tmp on ESXi.
      • Move the rui.key and rui.crt to /etc/vmware/ssl/ and restart management agents & rhttpproxy.
        • cd /tmp
        • mv rui.key /etc/vmware/ssl/
        • mv rui.crt /etc/vmware/ssl/
        • /etc/init.d/hostd restart
        • /etc/init.d/vpxa restart
        • /etc/init.d/rhttpproxy restart
    • For VMCA certificates
      • Run the following commands to generate the certificate and restart management agents & rhttpproxy.
        • /sbin/generate-certificates
        • /etc/init.d/hostd restart
        • /etc/init.d/vpxa restart
        • /etc/init.d/rhttpproxy restart
  3. Connect the ESXi host to vCenter

 

 

Additional Information

Powered by Wolken Software