Error "503 Service Unavailable" when attempting to access the vSphere Client due to Machine SSL IP address mismatch.
search cancel

Error "503 Service Unavailable" when attempting to access the vSphere Client due to Machine SSL IP address mismatch.

book

Article ID: 399590

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • vSphere Client is not accessible

  • Several vCenter services are not able to start

  • vCenter is using an IP address as primary network identifier (PNID)
  • Logs indicate an issue during service pre-start certificate verification:

    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx <vpxd-svcs> Service pre-start command's stderr: Traceback (most recent call last):
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/vmware-vstats/scripts/vstats_pre_start.py", line 208, in <module>
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx patch_authz ()
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/vmware-vstats/scripts/vstats_pre_start.py", line 168, in patch_authz
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx authz_patch = AuthzPatch()
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/vmware-vstats/scripts/vstats_pre_start.py", line 61, in init 1s_obj = LookupServiceClient (1s_url, retry_count=1)
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/vmware/site-packages/cis/cisreglib.py", line 314, in init self. init service content ()
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/vmware/site-packages/cis/cisreglib.py", line 294, in do_retry return req method (self, *args, **kargs)
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/vmware/site-packages/cis/cisreglib.py", line 304, in _init_service_content self.service_content = si. RetrieveServiceContent ()
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/vmware/site-packages/pymomi/VmomiSupport.py", line 598, in <lambda> self.f(*(self.args + (obj,) + args), **kwargs)
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/vmware/site-packages/pymomi/VmomiSupport.py", line 388, in _InvokeMethod return self._stub.InvokeMethod (self, info, args)
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/vmware/site-packages/pyvmomi/SoapAdapter.py", line 1528, in InvokeMethod conn.request('POST', self.path, req, headers)
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/python3.7/http/client.py", line 1281, in request self._send_request (method, url, body, headers, encode_chunked)
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/python3.7/http/client.py", line 1327, in send request self.endheaders (body, encode_chunked-encode_chunked)
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/python3.7/http/client.py", line 1276, in endheaders self._send_output (message_body, encode_chunked-encode_chunked) File "/usr/lib/python3.7/http/client.py", line 1036, in _send_output self.send (msg)
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/python3.7/http/client.py", line 976, in send
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx self.connect()
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/vmware/site-packages/pyvmomi/SoapAdapter.py", line 1144, in connect
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx six.moves.http_client.HTTPSConnection.connect(self)
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/python3.7/http/client.py", line 1451, in connect server hostname-server hostname)
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/python3.7/ssl.py", line 423, in wrap_socket
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx session-session
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/python3.7/ssl.py", line 870, in create self.do handshake ()
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx File "/usr/lib/python3.7/ssl.py", line 1139, in do_handshake
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx self._sslobj.do_handshake ()
    yyyy-mm-ddThh:mm:ss.xxxx Wa(03) host-xxxx ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: IP address mismatch, certificate is not valid for '<IP_ADDRESS>. (_ssl.c:1076)

Environment

vCenter Server 7.X
vCenter Server 8.X

Cause

Machine SSL certificate does not contain valid IP address information.

Resolution

Important note:
Before taking any action ensure fresh backups/snapshots has been taken.
If the vCenter is part of an enhanced linked mode environment see: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

 

To resolve this issue replace the invalid vCenter Machine SSL certificate on command line using vSphere Certificate Manager: 318946 - Using vSphere Certificate Manager to Replace SSL Certificates

Alternatively you can perform the certificate replacement task by using the vCert script: 385107 - vCert - vCenter certificate replacement script

Additional Information

Powered by Wolken Software