Sps and vpxd-svcs service fails to start due to expired Machine SSL Certificate on vCenter Server
search cancel

Sps and vpxd-svcs service fails to start due to expired Machine SSL Certificate on vCenter Server

book

Article ID: 396907

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Following a vCenter restart or an attempt to start services, the sps or vpxd-svcs services fail to start and display the following errors.

Error executing start on service sps. Details {
    "detail": [
        {
            "id": "install.ciscommon.service.failstart",
            "translatable": "An error occurred while starting service '%(0)s'",
            "args": [
                "sps"
            ],
            "localized": "An error occurred while starting service 'sps'"
        }
    ],
    "componentKey": null,
    "problemId": null,
    "resolution": null
}
Service-control failed. Error: {
    "detail": [
        {
            "id": "install.ciscommon.service.failstart",
            "translatable": "An error occurred while starting service '%(0)s'",
            "args": [
                "sps"
            ],
            "localized": "An error occurred while starting service 'sps'"
        }
    ],
    "componentKey": null,
    "problemId": null,
    "resolution": null
}

  • In /var/log/vmware/vmon/vmon.log the below entries are seen:

[YYYY-MM-DDTHH:MM:SS] Wa(03) host-#### <vpxd-svcs> Service pre-start command's stderr: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1007)

Environment

vCenter 8.x

Cause

  • This issue can occur if the vCenter Server's Machine SSL certificate has expired.
  • You can verify the status of all certificates on the vCenter by running the following command:
    for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

Resolution

Replace the Machine SSL certificate using one of the following methods:


Option 1:

  • Replace the machine certificate using the vCert script.

    • Download and upload the vCert zip file to vCenter
      •  unzip -q vCert-6.0.0-20250218.zip
      • cd vCert-6.0.0-20250218
      • ./vCert.py
    • Use the following menu options to replace the machine certificate:

      3. Manage certificates
      1. Machine SSL certificate

Option 2:

 

Powered by Wolken Software