vCenter Server not visible in Enhanced Linked Mode inventory due to expired Machine SSL certificate

search cancel

book

calendar_today

VMware vCenter Server

One or more vCenter Servers fail to appear in the Enhanced Linked Mode (ELM) configuration, where other vCenter Servers may be visible.
Checking the affected vCenter Server reveals that multiple vCenter services are stopped and failing to start, such as:
vmware-certificatemanagement, vmware-vpxd-svcs, vmware-topologysvc, vmware-vsan-health, vmware-hvc, vmware-sps, and vstats.
The affected vCenter server does not show up in the vCenter server inventory even though it is in enhanced linked mode.
The vCenter UI shows the below error:
Could not connect to one or more vCenter Server systems: https://<vCenter_fqdn>:443/sdk
The below error is logged in the /var/log/vmware/vmon/vmon.log:
File "/usr/lib/python3.7/ssl.py", line ##, in do_handshake
self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:###)

This occurs when the vCenter Server's Machine SSL certificate is expired, preventing the vCenter from participating in the Enhanced Linked Mode and causing the vCenter services to fail during startup.
This prevents centralized management of the vSphere environment through Enhanced Linked Mode.

Note: Create a powered-off snapshot of all vCenter nodes in the ELM domain before proceeding.
Snapshot Best practices for vCenter Server Virtual Machines

Run the vCert tool following the instructions at: vCert - Scripted vCenter Expired Certificate Replacement
Select option 2 - "Replace expired vCenter certificate(s)"
Select option 1 - "Replace only the Machine SSL certificate with VMCA signed certificate"
Enter the SSO administrator password when prompted.
Allow the tool to complete the certificate replacement and restart the services.
Verify the vCenter Server is now visible in Enhanced Linked Mode.

thumb_up Yes

thumb_down No