Unable to access vCenter Server due to expired solution user certificates
search cancel

Unable to access vCenter Server due to expired solution user certificates

book

Article ID: 421381

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Accessing the vSphere Client results in a failure to load the login page. The following symptoms may be encountered:

  • vCenter UI Error: [500] An error occurred while fetching identity providers. Try again. If problem persists, contact your administrator. Back to login screen
  • Running service-control --status --all confirms multiple that services are in a Stopped or StartPending state, including vmware-vpxd, vmware-vpxd-svcs, and vmware-sps.
  • Output from running the vCert Tool confirms Solution User certificates have expired:

In the vpxd logs the following authentication errors are recorded.

/var/log/vmware/vpxd/vpxd.log:

error vpxd[130739] [Originator@6876 sub=SsoWrapper] [AcquireToken] AcquireToken exception: N9SsoClient27InvalidCredentialsExceptionE(Authentication failed: Invalid credentials)
warning vpxd[130739] [Originator@6876 sub=Authz] [ConnectAndLogin] Failed to loginBySamlToken: N9SsoClient27InvalidCredentialsExceptionE(Authentication failed: Invalid credentials)
error vpxd[130739] [Originator@6876 sub=Authorize] Failed to initialize authorizeManager

Environment

VMware vCenter Server

Cause

This issue occurs because the vCenter Server Solution User certificates (machine, vsphere-webclient, vpxd, vpxd-extension, and hvc) have expired. These internal certificates are required for vCenter services to authenticate with the Security Token Service (STS) to acquire SAML tokens. 

Resolution

To resolve the issue, renew the vCenter Server Solution User certificates using the vCert script with VMCA as the certificate authority. Follow the detailed steps outlined in the KB article: vCert - Scripted vCenter expired certificate replacement.

  1. Take snapshot of vCenter. For more information refer: VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice
  2. Download the vCert tool and upload it to the vCenter in the /root or /tmp directory. (To download the script, refer: vCert - Scripted vCenter expired certificate replacement)
  3. Unzip the vCert tool: unzip -q vCert-6.1.1-20260401.zip
  4. Navigate to the new vCert directory: cd vCert-6.1.1-20260401
  5. Run the vCert tool ./vCert.py
  6. Select option 3 - Manage certificates
  7. Select option 2 - Solution User certificates
  8. Select option 1 - Replace with VMCA  signed certificates
  9. Restart services when prompted
Powered by Wolken Software