Unable to review Machine SSL and Trusted root store in vSphere web client
Article ID: 401944
Updated On:
Products
Issue/Introduction
Symptoms:
- Navigating to vCenter > Menu > Administration > Certificate Management results in an error: 'Error occurred while fetching machine certificates: Service not found: com.vmware.vcenter.certificate_management.vcenter.tls'
- As a result, machine SSL and trusted root certificates cannot be viewed in using vSphere Client.
- The applmgmt.log (/var/log/vmware/applmgmt/applmgmt.log) contains the following entries:
[YYYY-MM-DDTHH:MM:SS] DEBUG: vmware. vherd. transport. authentication: Authentication Server Secret Renewed.
[YYYY-MM-DDTHH:MM:SS] INFO: vmware. vherd. transport. ssh_access_collector: [Unit Test] renewed 50 credits to post event
[YYYY-MM-DDTHH:MM:SS] INFO: vmware. vherd. transport. ssh_access_collector: [Unit Test]Start collecting from sshinfo. log
[YYYY-MM-DDTHH:MM:SS] ERROR:cis. vpxdevent_lib: Failed to get vcenter server endpoint urls. Err [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1007)
[YYYY-MM-DDTHH:MM:SS] ERROR: vmware. vherd. transport. post_sso_events: Failed to get vcenter server endpoint urls. Err [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1007)
Environment
- VMware vCenter Server
- VMware vSphere ESXi
Cause
- vmware-certificatemanagement service fails to start in a vCenter Server, it usually relates to certificate or trust store issues, expired certificates, permission/config errors, or service dependencies.
- From logs we see that Machine SSL verification failed due to certificate expiry and unable to start vpxd-svcs/ vmware-certificatemanagement.
Resolution
- Replace Machine SSL certificate referring to steps from: Using vSphere Certificate Manager to Replace SSL Certificates.
Additional Information
Use the new improved certificate management tool vCert - Scripted vCenter Expired Certificate Replacement for all certificate management/replacement workflow.
Feedback
