Unable to run vCenter API Explorer commands
search cancel

Unable to run vCenter API Explorer commands

book

Article ID: 394658

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

In vCenter 8.0 U3 API Explorer, when trying to execute GET or PUT commands to manage TLS profiles, pop-up box appears requesting credentials be entered, and even when using local SSO admin credentials, receiving error of "UNAUTHENTICATED". Not providing proper output and changes do not complete.

 

In logs you may see the following:

 

/var/log/vmware/envoy/envoy-access-#.log

  • API command runs and fails.

2025-04-15T17:45:28.119Z GET /apigw/rest/api/appliance/tls/profiles/global 401 via_upstream - 0 131 zstd 833 832 0 10.11.115.146:62997 HTTP/2 TLSv1.2 10.254.119.20:443 127.0.0.1:34814 HTTP/1.1 - 127.0.0.1:5090

 

/var/log/vmware/applmgmt/applmgmt.log

  • Stating cause of failed API being one or more certificates cannot be verified.

 

2025-04-15T17:42:08 PM CET [9446]ERROR:vmware.appliance.vapi.auth:Could not parse HOK Token

Traceback (most recent call last):

File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication

_sso.py", line 507, in validate

self.validate_certificate()

File "/usr/lib/applmgmt/lib/extensions/py/vmware/appliance/extensions/authentication/authentication

_sso.py", line 709, in validate_certificate

raise AuthenticationError(

vmware.appliance.extensions.authentication.authentication_sso.AuthenticationError: One or more certif

icates cannot be verified.

Environment

vCenter Server 8.0 U3

Cause

It is possible the STS cert was in place from legacy builds that are formatted in a way that keeps certain functions/features from working properly in VC 8.0 U3. We have seen this happen when vCenter servers have been upgraded from 6.x over time to 7.x, and then 8.x. Some issues become present within 7.x as well.

Note: There is currently no way for us to detect/compare the STS cert for these types of issues.

Resolution

  • Take proper snapshot and/or backups of the VCSA VM.
    • If in linked mode (ELM), take offline snapshots for all linked VCSA VMs.
    • The STS cert only needs to be replaced on one VCSA, as it will be replicated to all other linked VCSAs.

  • Note: The below steps will require downtime for the VCSA(s); vCenter services will be restarted. Please make sure to schedule a maintenance window, if necessary to perform these steps.

  • Renew ("Refresh") the STS certificate using either the vSphere client UI or use the vCert tool.

  • Execute the API Explorer GET/PUT commands to confirm they are now working.
Powered by Wolken Software