SDDC Manager UI Inaccessible Due to Expired vCenter Certificate – Identity Internal Server Error (500)
search cancel

SDDC Manager UI Inaccessible Due to Expired vCenter Certificate – Identity Internal Server Error (500)

book

Article ID: 412926

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

  • Access to the SDDC Manager interface fails and returns the following error, preventing login :

{"message":"Identity Internal Server Error","code":"IDENTITY_INTERNAL_SERVER_ERROR","status":500}

  • In /var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log, you see entries similar to:

  • [YYYY-MM-DDTHH:MM:SS] ERROR [common,68d486459ecb74a2828a8f393f04e8da,da6d] [c.v.e.s.c.c.v.vsphere.VsphereClient,cs-exec-5] Failed to connect to https://<vCenter FQDN>:443/sdk
    com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
    Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
    Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
    [YYYY-MM-DDTHH:MM:SS] ERROR [common,68d486459ecb74a2828a8f393f04e8da,da6d] [c.v.e.s.c.c.v.vsphere.VcManagerBase,cs-exec-5] Immediately throwing on SSL exception
    [YYYY-MM-DDTHH:MM:SS]ERROR [common,68d486459ecb74a2828a8f393f04e8da,da6d] [c.v.v.i.sync.utils.VcSyncManagerUtil,cs-exec-5] Error connecting to vCenter <vCenter FQDN>, with exception {}
    com.vmware.vim.vmomi.client.exception.SslException: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed

Cause

  • The issue is caused by an expired Machine SSL certificate on the Management vCenter. The SDDC Manager fails to establish a secure connection to vCenter due to SSL handshake failure.

    • Log in to the vCenter CLI and validate certificate status to confirm expiration by running the below command

    • for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

Resolution

To resolve the issue, the expired Management vCenter certificate must be renewed or replaced.

Note:

  • Take a snapshot of the SDDC Manager appliance.
  • Take an offline snapshot of the Management vCenter.

  1. Replace the Expired Machine SSL Certificate Using One of the Following Methods:

  2. Restart vCenter Services:
    After replacing the certificates, restart services with the following command:

    • service-control --stop --all && service-control --start --all

  3. Login to SDDC Manager and verify if the Management vCenter certificate is replaced and synced.
Powered by Wolken Software