Renewal of Solution User Certificates failed with error "Operation failed Unable to update machine-<vCenter Server UUID> solution user certificate in VMDir"
search cancel

Renewal of Solution User Certificates failed with error "Operation failed Unable to update machine-<vCenter Server UUID> solution user certificate in VMDir"

book

Article ID: 408481

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • vCenter Server Solution user certificate renewal process is failing using vCert script.

  • Executing the script with Manage Certificates option to replace  Solution User certificates fails with below error

Replace Solution User Certificates
-----------------------------------------------------------------
Verifying Service Principal entries exist           ERROR

Operation failed: Unable to update machine-<VCenter UUID> solution user certificate in VMDir.

Environment

VMware vCenter Server 7.0.x

VMware vCenter Server 8.0.x

Cause

This issue is caused due to mismatch in Machine ID of vCenter Server. The UUID from the machine ID and the UUID in the vpxd service account name should match.

VDT check confirm that we have Machine ID mismatch.

VC Machine ID Check

            [FAIL]    Machine ID Check
                        Machine ID doesn't match vpxd.cfg

                          Current MID: #38#######-####-####-####-##########7#6
                          Correct MID: #92#######-####-####-####-##########d#4

Resolution

Note: Take Snapshot of vCenter Server without memory before proceeding with below steps, offline snapshot of all nodes in vSphere Domain is required if vCenter Server is part of ELM.

  1. Check the correct machine ID.

    /opt/likewise/bin/lwregshell ls "[HKEY_THIS_MACHINE\Services\vmdir]" | grep MachineGuid | awk '{print $2,$NF}'

    "MachineGuid" "38#######-####-####-####-##########7#6"

  2. Validate the vpxd solution user by the below command

    /usr/lib/vmware-vmafd/bin/dir-cli service list

    If the vpxd solution user does not match the machine ID, recreate the solution users using lsdoctor -u. Refer Using the 'lsdoctor' Tool
  3. Get the current machine ID of the vpxd service account

    cat /etc/vmware-vpx/vpxd.cfg | grep -i "<name>vpxd"

    92#######-####-####-####-##########d#4

  4. The UUID of the machine ID [From Step 1] should match the UUID in the vpxd service account name [From Step 2]. In case of mismatch, update the machine ID on vpxd.cfg to match the vpxd service account by running the following command

    vi /etc/vmware-vpx/vpxd.cfg

            <name>vpxd-38#######-####-####-####-##########7#[email protected]</name>
Powered by Wolken Software