dir-cli trustedcert publish fails with ' Error 1168: Operation failed with error ERROR_NOT_FOUND '
search cancel

dir-cli trustedcert publish fails with ' Error 1168: Operation failed with error ERROR_NOT_FOUND '

book

Article ID: 414482

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • An attempt to update a vCenter certificate via script, utilizing the dir-cli trustedcert publish command, resulted in a failure.
  • The command returned the error dir-cli failed. Error 1168: Operation failed with error ERROR_NOT_FOUND (1168).
  • This occurred despite verifying that the specified certificate file (/tmp/replace-cert/certificate.ca) existed at the given path and contained the correct Certificate Authority (CA) chain (Intermediate CA to Root CA, without the private key or end-entity certificate).

    root@xxx [ /tmp/replace-cert ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish -- cert /tmp/replace-cert/certificate.ca -- chain -- login [email protected]
    Enter password for [email protected]:
    dir-cli failed. Error 1326: Operation failed with error ERROR LOGON FAILURE (1326)
    root@xxx [ /tmp/replace-cert ]#

     Log: /var/log/vmware/vmafdd/vmafdd.log

 2025-10-15T17:55:00.261 [vmafdd][ERROR] [Error - 183, lotus/vmafd/server/vmafd/vecsserviceapi.c:193]
 2025-10-15T17:55:00.261 [vmafdd][INFO] VecsSrvCreateCertStore: Failed to create Cert Store
 2025-10-15T17:55:00.261 [vmafdd][ERROR] [Error - 183, lotus/vmafd/server/vmafd/authservice.c:36]
 2025-10-15T17:55:00.261 [vmafdd][ERROR] [Error - 183, lotus/vmafd/server/vmafd/vecsserviceapi.c:193]
 2025-10-15T17:55:00.261 [vmafdd][INFO] VecsSrvCreateCertStore: Failed to create Cert Store
 2025-10-15T17:55:00.261 [vmafdd][ERROR] [Error - 183, lotus/vmafd/server/vmafd/authservice.c:36]
 2025-10-15T17:55:00.261 [vmafdd][ERROR] [Error - 183, lotus/vmafd/server/vmafd/vecsserviceapi.c:193]
 2025-10-15T17:55:00.261 [vmafdd][INFO] VecsSrvCreateCertStore: Failed to create Cert Store
 2025-10-15T17:55:00.261 [vmafdd][ERROR] [Error - 183, lotus/vmafd/server/vmafd/authservice.c:36]

Environment

  • vCenter 8.x

Cause

  • The failure of the dir-cli trustedcert publish command was caused by insufficient privileges of the user account executing the script. 
  • The account lacked the necessary administrative permissions within vCenter's Single Sign-On (SSO) domain to perform certificate publishing operations against the vCenter's internal directory services. 

Resolution

        The issue was resolved by executing the dir-cli trustedcert publish command using the [email protected] account.

Steps:

  • Ensure the certificate file (certificate.ca in this case) contains the full Certificate Authority (CA) chain, starting with the Intermediate CA (if applicable) and ending with the Root CA. Confirm it does not include the private key or the Machine SSL (end-entity) certificate itself.
  • Execute the dir-cli trustedcert publish command using credentials for the [email protected] user :
    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /tmp/replace-cert/certificate.ca --chain --login "[email protected]" --password "your_sso_admin_password"
  • This action allowed the command to execute successfully, updating the vCenter's trusted certificate store. The [email protected] account possesses the inherent, system-level privileges required for such critical operations, bypassing any permission-related restrictions encountered by less-privileged accounts.

root@xxx [ /tmp/replace-cert ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish -- cert /tmp/replace-cert/certificate.ca -- chain -- login [email protected]
Enter password for [email protected]:
Certificate published successfully
root@xxx[ /tmp/replace-cert ]#

Powered by Wolken Software