vCenter fails to replace certificates as lookup service does not update thumbprints.
search cancel

vCenter fails to replace certificates as lookup service does not update thumbprints.

book

Article ID: 409175

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • A full certificate reset using option #6 with the vCert Tool (KB 385107), the services fail to start and we are seeing the following errors.

Screenshot_1:

  • The same can be found from the VDT (KB 344917) report as well.



Screenshot_2:

Environment

7.0 U3

Cause

This happens because the lookup service is not syncing the updated certificate thumbprints into the database. As a result, the vpxd extension and other vCenter services cannot update their entries and fail to recognize the new certificates.

Resolution

The issue gets resolved by promoting the database manually by following the KB article 313578 and then performing a certificate reset with option 8, as explained in KB 318767. Later all certificates get replaced, the lookup service syncs the thumbprints, and vCenter services come up without errors.

If you are using a custom certificate, follow these steps:

  • Generate the CSR file and get it signed as per your requirement.

  • Once signed, follow the steps in the given KB article 316601 to replace the machine_ssl_certificate with custom certificate:
Powered by Wolken Software