vCenter vmware-vpxd-svcs fails to start due to SSL Certificate Hostname mismatch
search cancel

vCenter vmware-vpxd-svcs fails to start due to SSL Certificate Hostname mismatch

book

Article ID: 420754

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • After replacing certificates on the VMware vCenter Server, the vmware-vpxd-svcs service fails to start
    • service-control --status --all
      • Results: 
        Running:
        lookupsvc lwsmd observability-vapi pschealth vc-ws1a-broker vlcm vmafdd vmcad vmdird vmonapi vmware-analytics vmware-certificateauthority vmware-cis-license vmware-content-library vmware-eam vmware-envoy vmware-envoy-hgw vmware-envoy-sidecar vmware-infraprofile vmware-perfcharts vmware-postgres-archiver vmware-rhttpproxy vmware-sca vmware-stsd vmware-trustmanagement vmware-vapi-endpoint vmware-vmon vmware-vpostgres vmware-vpxd vmware-vsan-health vmware-vsm vtsdb
        Stopped:
        applmgmt observability vmcam vmware-certificatemanagement vmware-hvc vmware-imagebuilder vmware-netdumper vmware-pod vmware-rbd-watchdog vmware-sps vmware-topologysvc vmware-updatemgr vmware-vcha vmware-vdtc vmware-vpxd-svcs vsphere-ui vstats wcp

  • Manual start attempts via below command fail immediately. 
    • service-control --start vmware-vpxd-svcs
  • From /var/log/vmware/vmon/vmon.log, the vpxd-svcs prestart is failing due certificate verification failure. 
    • YYYY-MM-DDTHH:MM:SS.SSSS Wa(03) host-##### <vpxd-svcs> Service pre-start command's stderr: self.do_handshake()
      YYYY-MM-DDTHH:MM:SS.SSSS Wa(03)+ host-#####   File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
      YYYY-MM-DDTHH:MM:SS.SSSS Wa(03)+ host-#####
      YYYY-MM-DDTHH:MM:SS.SSSS Wa(03) host-##### <vpxd-svcs> Service pre-start command's stderr: self._sslobj.do_handshake()
      YYYY-MM-DDTHH:MM:SS.SSSS Wa(03)+ host-#####
      YYYY-MM-DDTHH:MM:SS.SSSS Wa(03) host-##### <vpxd-svcs> Service pre-start command's stderr: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'VCENTER PNID/HOSTNAME'. (_ssl.c:997)
      YYYY-MM-DDTHH:MM:SS.SSSS Wa(03)+ host-#####
      YYYY-MM-DDTHH:MM:SS.SSSS Er(02) host-##### <vpxd-svcs> Service pre-start command failed with exit code 1.

 

Environment

  • VMware vCenter Server 8.X

Cause

  • The vmware-vpxd-svcs service fails to start because the vCenter Primary Node ID (PNID) does not match the Hostname/Subject Alternative Name (SAN) defined in the newly installed certificate.

Resolution

Please follow the below steps to resolve the issue. 

  • Log in to the vCenter Server Appliance via SSH using root credentials.
  • Determine the vCenter's PNID by running the following command:
    • /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
  • Renew certificates of the vCenter with correct PNID as a hostname using vCert.

Additional Information

Powered by Wolken Software