Removing STS_INTERNAL_SSL_CERT from vCenter Server with vCert
Article ID: 424604
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article describes how to remove the STS_INTERNAL_SSL_CERT from VECS using vCert.
Symptoms
A certificate store named STS_INTERNAL_SSL_CERT exists within VECS. To verify its presence, execute the following command in the vCenter Server Bash shell:
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
If STS_INTERNAL_SSL_CERT exists, the output will include a result similar to the following:
STS_INTERNAL_SSL_CERT
Alias : __MACHINE_CERT
Not After : Jan 5 06:36:58 2036 GMT
Environment
VMware vCenter Server 7.x
VMware vCenter Server 8.x
Resolution
To remove STS_INTERNAL_SSL_CERT from VECS:
- (Mandatory) Take an offline snapshot of the vCenter Server Appliance. For best practices regarding vCenter Server Appliance snapshots, please refer to vCenter Server Appliance Data Integrity Best Practices.
- Download the lsdoctor tool and run python lsdoctor.py -l to see if there are stale service registrations in the lookup service. If there are no stale registrations, jump to the next step. Otherwise, run python lsdoctor.py -s and python lsdoctor.py -t respectively and continue with the next step.
- Download vCert and execute the following command:
python vCert.py --run config/check_config/sts_config/op_check_sts_config.yaml - When prompted with "Update STS server configuration to use the MACHINE_SSL_CERT store?", answer "y" (yes).
- When prompted with "Restart service(s) vmware-stsd", answer "y" (yes).
- When prompted with "Please enter a Single Sign-On administrator account", enter the credentials for your SSO administrator account.
Additional Information
Feedback
Yes
No
Powered by
