The VCF SDDC Manager user interface (UI) becomes inaccessible following the direct replacement of the Machine SSL certificate within vCenter Server
search cancel

The VCF SDDC Manager user interface (UI) becomes inaccessible following the direct replacement of the Machine SSL certificate within vCenter Server

book

Article ID: 418872

calendar_today

Updated On:

Products

VMware vCenter Server VMware SDDC Manager

Issue/Introduction

After replacing the Machine SSL and STS (Security Token Service) Signing Certificates on a vCenter Server that is part of a VCF (VMware Cloud Foundation) environment, the SDDC Manager UI page becomes inaccessible or displays a blank screen.

Cause

The problem originates from the SDDC Manager's role as the centralized certificate and trust management component for all vCenter Servers integrated into the VCF environment.

When certificate is replaced directly on the vCenter server

  • The vCenter's own trust anchor changes.
  • SDDC Manager's internal trust store, which was configured to trust the previous certificate chain of that vCenter, becomes outdated. SDDC Manager can no longer securely communicate with or validate the identity of its integrated vCenters.

Resolution

The resolution involves resynchronizing the vCenter's root certificate with the SDDC Manager's trust store and then restarting services to re-establish the trust chain across the domain.

  1. Take a Snapshot of the SDDC Manager VM:
    Before proceeding, it is highly recommended to take an offline snapshot of the SDDC Manager VM.
    This provides a rollback point if any issues occur during the trust synchronization process.

  2. Download the VcRootCaSync.py Script:
    Download the script from the below KB article and transfer it to the SDDC Manager appliance.
    How to import the vCenter root certificate into the SDDC manager TrustStore

  3. SSH into SDDC Manager: 
    Login to SDDC Manager via SSH as the vcf user and switch to the root user account:
    su -

  4. Execute the VcRootCaSync.py Script:
    python VcRootCaSync.py

    Expected Output:

    /home/vcf ]# python VcRootCaSync.py
    Please provide SSO administrator user[[email protected]]:
    Provide password for [email protected]:
    Available vCenter Servers:
    [1] ACTIVE | example.vcsa1.com
    [2] ACTIVE | example.vcsa2.com

            Select a vCenter server by entering the corresponding number: 1
            Selected vCenter: example.vcsa1.com

             Session token created successfully
             Root certificate saved to /tmp/root.cer

    vCenter example.vcsa1.com Root Certificate Found:
    -----BEGIN CERTIFICATE-----
    ###########################################################

    -----END CERTIFICATE-----

             Using randomly generated Alias: abc-def-vcsa1_RootCrt_EA0G

             vCenter Root certificate added to SDDC Manager trust stores.
             Refreshing certificate store
             Deleting root certificate from temp

  5. Restart SDDC services: 
    Execute the below command to restart SDDC services:
    /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

Powered by Wolken Software