The com.vmware.vsan.health extension thumbprint is not immediately updated after a non-disruptive Machine SSL certificate renewal via the vSphere Client
search cancel

The com.vmware.vsan.health extension thumbprint is not immediately updated after a non-disruptive Machine SSL certificate renewal via the vSphere Client

book

Article ID: 422802

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

After performing a non-disruptive renewal of the Machine SSL certificate through the vSphere Client, you may observe the following symptoms:

  • The vCert script reports a MISMATCH for the com.vmware.vsan.health thumbprint:



  • The thumbprint of the MACHINE_SSL_CERT does not match the entry in the vpx_ext table:

    Actual Certificate Thumbprint:
    # /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT | openssl x509 -fingerprint -sha1 -noout
    sha1 Fingerprint=sha1 Fingerprint=##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:3C

    Database Entry:
    # /opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres -c "select ext_id,thumbprint from vpx_ext where ext_id='com.vmware.vsan.health';"
             ext_id         |                         thumbprint
    ------------------------+-------------------------------------------------------------
     com.vmware.vsan.health | ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:D9
    (1 row)

 

Cause

This is expected behavior.
The vsan-health service continues to use the cached vpxd session as long as that session remains active.
Once the session expires, the auto-reconnect mechanism triggers a new connection, and the thumbprint is updated at that time.

Resolution

No manual remediation is required.
The thumbprint will be updated automatically when the cached session expires or the service is restarted.

Powered by Wolken Software