vCenter Server Appliance (vCSA) Services fails to start after certificate update using the Certification Manager
search cancel

vCenter Server Appliance (vCSA) Services fails to start after certificate update using the Certification Manager

book

Article ID: 411835

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After attempting to update expired certificates on a vCenter Server Appliance (vCSA) using the Certification Manager, vCenter services may fail to start. This prevents the vCSA from functioning correctly. Log entries indicate that service-control fails to start services such as hvcvpxd, and vpxd-svcs, reporting that these services crashed during startup.-certificate-manager.log

YYYY-MM-DDTHH:MM:SS.SSSZ INFO certificate-manager please see service-control.log for service status
Service-control failed. Error: Failed to start services in profile ALL. RC=2, stderr=Failed to start hvc, vpxd, vpxd-svcs services. Error: Service crashed while starting

YYYY-MM-DDTHH:MM:SS.SSSZ ERROR certificate-manager None
YYYY-MM-DDTHH:MM:SS.SSSZ ERROR certificate-manager Error while starting services, please see service-control log for more details
YYYY-MM-DDTHH:MM:SS.SSSZ ERROR certificate-manager {
    "detail": [
        {
            "id": "install.ciscommon.command.errinvoke",
            "translatable": "An error occurred while invoking external command : '%(0)s'",
            "args": [
                "None"
            ],
            "localized": "An error occurred while invoking external command : 'None'"
        },
        "Error while starting services, please see service-control log for more details"
    ],
    "componentKey": null,
    "problemId": null,
    "resolution": null
}
YYYY-MM-DDTHH:MM:SS.SSSZ ERROR certificate-manager please see /var/log/vmware/vmcad/certificate-manager.log for more information.

 

Environment

VMware vCenter Server  7.x, 8.x  with expired machine SSL certificates or solution user certificates.

Cause

vmon failing to start these services.

Resolution

To resolve this issue, you must replace the expired certificates using the vCert script. Follow the detailed procedure below:

1. Create a snapshot of the vCSA.

2. Obtain the vCert tool from KB#385107 and upload it to the vCenter Server.

3. SSH into the vCenter Server, type shell and open Bash.

4. Unzip the vCert tool and navigate to the generated directory.
  bash unzip vCert-6.1.0-20250910.zip 
  cd vCert-6.1.0-20250910

5. Execute the following command for bulk certificate renewal.
# python vCert.py --run config/manage_cert/vmca/op_replace-vmca-cert-and-reset-all.yaml

6.Enter the credentials for the SSO administrator ([email protected]).

7. For subsequent prompts like "Enter the country code [US]:", simply press Enter for all default values.

Certificate Signing Request Information
-----------------------------------------------------------------
Enter the country code [US]:
Enter the Organization name [VMware]:
Enter the Organizational Unit name [VMware Engineering]:
Enter the state [California]:
Enter the locality (city) name [Palo Alto]:
Enter the IP address (optional):
Enter an email address (optional):
Enter any additional hostnames for SAN entries (comma separated value):
Enter a value for the CommonName of the certificate [CA]:

8.You will be asked to confirm the renewal of the STS certificate,
  but since versions 6.7 and later have a 10-year validity period, renewal is rarely required, so press N.

Replace STS Signing Certificate? [N]: N

9.After the certificates are updated, when prompted "Restart VMware services [N]:", answer Y (yes).

Restart VMware services [N]: Y

 

Additional Information

Powered by Wolken Software