Lifecycle Manager service is shutting down after replacing vCenter Machine SSL certificate with Custom Certificate Authority Signed Certificate
search cancel

Lifecycle Manager service is shutting down after replacing vCenter Machine SSL certificate with Custom Certificate Authority Signed Certificate

book

Article ID: 390313

calendar_today

Updated On:

Products

VMware vCenter Server VMware Cloud Foundation

Issue/Introduction

  • Lifecycle Manager is not available on the vSphere Client
  • When checking on CLI the vmware-updatemgr service appears stopped.

  • Attempting to manually start the service is successful but the service is shutting down after a couple of seconds.

  • The vCenter logs shows errors similar to the following:

    /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log
    yyyy-mm-ddThh:mm:ss.Z warning vmware-vum-server[xxxxx] [Originator@6876 sub=IO.Connection] Failed to SSL handshake; SSL(<io_obj p:0x0000000000000000, h:49, <TCP '127.0.0.1 : 40834'>, <TCP '127.0.0.1 : 443'>>), 
    e: xxxxxxxxx(certificate verify failed), duration: 20msec
    yyyy-mm-ddThh:mm:ss.Z warning vmware-vum-server[xxxxx] [Originator@6876 sub=HttpConnectionPool-000000] Failed to get pooled connection; <cs p:0000000000000000, SsoCustomConnectionSpec:<VC_FQDN>:443>, 
    SSL(<io_obj p:0x0000000000000000, h:49, <TCP '127.0.0.1 : 40834'>, <TCP '127.0.0.1 : 443'>>), duration: 54msec, N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
    --> PeerThumbprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX     # <=== This Thumbprint should match the Custom Machine SSL certificate
    --> ExpectedThumbprint:
    --> ExpectedPeerName: <VC_FQDN>
    --> The remote host certificate has these problems:
    -->
    --> * unable to get issuer certificate

Environment

VMware vCenter Server
VMware Cloud Foundation

Cause

The vLCM service is shutting down when attempting to sync with the HTTPS depot URL as the vCenter Machine SSL certificate cannot be validated.

The "unable to get issuer certificate" error suggests an incomplete certificate chain in the vCenter Trusted Root Store.

Resolution

Ensure the full certificate chain (all intermediate CA and Root CA certificates) are present in the vCenter Trusted Root Store.

Once the missing CA is detected it can be imported to the vCenter through the vSphere Client: 

Add a Trusted Root Certificate to the Certificate Store Using the vSphere Client

Additional Information

Powered by Wolken Software