Error: "dir-cli failed. Error 87: Operation failed with error ERROR_INVALID_PARAMETER (87)" and "Error 1168: Operation failed with error ERROR_NOT_FOUND (1168)" using removeroot.sh
search cancel

Error: "dir-cli failed. Error 87: Operation failed with error ERROR_INVALID_PARAMETER (87)" and "Error 1168: Operation failed with error ERROR_NOT_FOUND (1168)" using removeroot.sh

book

Article ID: 425924

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Removing a vCenter root CA using the removeroot.sh script fails with the following errors:

dir-cli failed. Error 87: Operation failed with error ERROR_INVALID_PARAMETER (87)

--> Unpublish certificate from VMDIR

dir-cli failed. Error 1168: Operation failed with error ERROR_NOT_FOUND (1168)

 

The SubjectKey value is blank in the output of the script:

7:alias:<alias>

  SubjectKey:

  Subject: CN=CA, CN=<FQDN>, dc=vsphere,dc=local, C=US

  Issuer: CN=CA, CN=<FQDN>, dc=vsphere,dc=local, C=US

Environment

vCenter Server 7.x

vCenter Server 8.x

Cause

The removeroot.sh script uses the subject key to create an array prior to removal. Given the script relies on the subject key it will fail with INVALID parameter if no subject key is present for the Root CA. 

Resolution

To resolve this issue remove the root CA manually with the steps in Verify and remove CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS).

Additional Information

Removing CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS) in vCSA using script

Powered by Wolken Software