vmware-vpxd-svcs failed to start post replacing Custom Machine SSL certificate on vCenter server
search cancel

vmware-vpxd-svcs failed to start post replacing Custom Machine SSL certificate on vCenter server

book

Article ID: 420754

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

vmware-vpxd-svcs service during certificate replacement is due to SSL certificate verification failure. The mismatch between the PNID and the hostname prevents successful service initialization.

service-control --status --all shows below output
Running:
 lookupsvc lwsmd observability-vapi pschealth vc-ws1a-broker vlcm vmafdd vmcad vmdird vmonapi vmware-analytics vmware-certificateauthority vmware-cis-license vmware-content-library vmware-eam vmware-envoy vmware-envoy-hgw vmware-envoy-sidecar vmware-infraprofile vmware-perfcharts vmware-postgres-archiver vmware-rhttpproxy vmware-sca vmware-stsd vmware-trustmanagement vmware-vapi-endpoint vmware-vmon vmware-vpostgres vmware-vpxd vmware-vsan-health vmware-vsm vtsdb
Stopped:
 applmgmt observability vmcam vmware-certificatemanagement vmware-hvc vmware-imagebuilder vmware-netdumper vmware-pod vmware-rbd-watchdog vmware-sps vmware-topologysvc vmware-updatemgr vmware-vcha vmware-vdtc vmware-vpxd-svcs vsphere-ui vstats wcp

/var/log/vmware/vpxd-svcs/vpxd-svcs.log is not updated during service start up

/var/log/vmware/vmon/vmon.log 

YYYY-MM-DDTHH:MM:SS.SSSS Wa(03) host-721660 <vpxd-svcs> Service pre-start command's stderr:     self.do_handshake()
YYYY-MM-DDTHH:MM:SS.SSSS Wa(03)+ host-721660   File "/usr/lib/python3.10/ssl.py", line 1341, in do_handshake
YYYY-MM-DDTHH:MM:SS.SSSS Wa(03)+ host-721660
YYYY-MM-DDTHH:MM:SS.SSSS Wa(03) host-721660 <vpxd-svcs> Service pre-start command's stderr:     self._sslobj.do_handshake()
YYYY-MM-DDTHH:MM:SS.SSSS Wa(03)+ host-721660
YYYY-MM-DDTHH:MM:SS.SSSS Wa(03) host-721660 <vpxd-svcs> Service pre-start command's stderr: ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'VCENTER PNID/HOSTNAME'. (_ssl.c:997)
YYYY-MM-DDTHH:MM:SS.SSSS Wa(03)+ host-721660
YYYY-MM-DDTHH:MM:SS.SSSS Er(02) host-721660 <vpxd-svcs> Service pre-start command failed with exit code 1.

Environment

vCenter Server 8.x

Cause

This happens when incorrect FQDN or hostname is provided during generation of the CSR for Custom Certificates

Resolution

To determine the vCenter's PNID (Primary Node ID), you can use the following command from an SSH session on the vCenter:

/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

The vCenter PNID must be present in the certificate's Subject Alternative Name (SAN) section, even though this section is showing optional during CSR generation.

To resolve this issue replace the invalid vCenter Machine SSL certificate on command line using vSphere Certificate Manager: 318946 - Using vSphere Certificate Manager to Replace SSL Certificates

Alternatively you can perform the certificate replacement task by using the vCert script: 385107 - vCert - vCenter certificate replacement script

 

 

Powered by Wolken Software