"SMS certificate in VECS has expired" observed on vCenter UI
search cancel

"SMS certificate in VECS has expired" observed on vCenter UI

book

Article ID: 422990

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • After logging into the vSphere Client, 'SMS certificate in VECS has expired' alarm is found to have been triggered under the Summary tab of the vCenter Server instance, as illustrated below:

  • Validation of the SMS certificate store using the below command indicates that one or more certificates are no longer valid due to expiration as illustrated below:

for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done


Sample Output:

[*] Store : MACHINE_SSL_CERT
Alias : __MACHINE_CERT
            Not After : MM DD HH:MM:SS YYYY GMT
[*] Store : TRUSTED_ROOTS
Alias : ####
            Not After : MM DD HH:MM:SS YYYY GMT
Alias : ####
            Not After : MM DD HH:MM:SS YYYY GMT
[*] Store : machine
Alias : machine
            Not After : MM DD HH:MM:SS YYYY GMT
[*] Store : vsphere-webclient
Alias : vsphere-webclient
            Not After : MM DD HH:MM:SS YYYY GMT
[*] Store : vpxd
Alias : vpxd
            Not After : MM DD HH:MM:SS YYYY GMT
[*] Store : vpxd-extension
Alias : vpxd-extension
            Not After : MM DD HH:MM:SS YYYY GMT
[*] Store : APPLMGMT_PASSWORD
Alias : location_password_default
[*] Store : data-encipherment
Alias : data-encipherment
            Not After : MM DD HH:MM:SS YYYY GMT
[*] Store : SMS
Alias : sms_self_signed
            Not After : MM DD HH:MM:SS YYYY GMT                                      <------This date would have already passed
Alias : sps-extension
[*] Store : hvc
Alias : hvc
            Not After : MM DD HH:MM:SS YYYY GMT
[*] Store : wcp
Alias : wcp
            Not After : MM DD HH:MM:SS YYYY GMT

Cause

This alarm is triggered when one or more certificates within the SMS certificate store have reached or passed their expiration date.

Resolution

To resolve this issue, follow the below steps:

  1. Take a snapshot on the vCenter Server (For Linked vCenter Servers, refer to VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

  2. Renew the expired SMS certificate by using either of the below scripted methods:
vCert Script (as highlighted on the alarm) with options:

  • Option 3(Manage certificates) ->
    • Option 5 (SMS certificates) ->
      • Option 1 (Replace SMS self-signed certificate)

or

    • fixcerts script with command:

      python fixcerts_3_2.py replace --certType sms

  2. Select the Reset to Green on the alarm action on vSphere client

  3. Remove the snapshot.
Powered by Wolken Software