VMware Update Manager service fails to start
search cancel

VMware Update Manager service fails to start

book

Article ID: 429325

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The VMware Update Manager (vmware-updatemgr) service fails to start on vCenter Server. When attempting to start the service manually via service-control, the operation fails with a generic "failstart" error.

Error : An error occurred while starting service 'vmware-updatemgr'


 

Environment

vCenter Server 8.x

Cause

The update-manager service fails to start and reports invalid certificate, followed by a backtrace in var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log 

YYYY-MM-DDT HH:MM:SS.486Z info vmware-vum-server[3483998] [Originator@6876 sub=SessionAuthData] [vciSessionAuthData 119] Trying to relogin for session [REDACTED_ID]; user: <USER>@<DOMAIN>
YYYY-MM-DDT HH:MM:SS.493Z error vmware-vum-server[3483998] [Originator@6876 sub=CertManager] [CertManager 230] Retrieved invalid certificate -----BEGIN CERTIFICATE-----
YYYY-MM-DDT HH:MM:SS.517Z error vmware-vum-server[3483998] [Originator@6876 sub=CertManager] [CertManager 230] [backtrace begin] product: VMware Update Manager, version: 8.0.2, build: build-22385739, tag: vmware-vum-server, cpu: x86_64, os: linux, buildType: release

At that time we see in vmon.log ( var/log/vmware/vmon.log )

  • The updatemgr service fails during its pre-start routine because it cannot verify the Security Token Service (STS) endpoint URL.

  • This occurs when the endpoint certificates associated with the service are expired or were not correctly updated during a previous Machine SSL certificate replacement.

    YYYY-MM-DDT HH:MM:SS.574Z In(05) <Object Name> Received restart request for updatemgr
    YYYY-MM-DDT HH:MM:SS.319Z In(05) <Object Name> <updatemgr-prestart> Constructed command: /usr/bin/python /usr/lib/vmware-updatemgr-root/sbin/updatemgr-vmon-prestart.py
    YYYY-MM-DDT HH:MM:SS.791Z Wa(03) <Object Name> <updatemgr> Service pre-start command's stderr: Can't get STS endpoit URL: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:997)
    YYYY-MM-DDT HH:MM:SS.818Z Wa(03) <Object Name> <updatemgr> Service pre-start command's stderr: urlopen() failed to read certsJson from https://<vCenter FQDN>/idm/tenant/vsphere.local/certificates?scope=TENANT&granularity=LEAF

Resolution

To resolve this issue, the Machine SSL certificate must be renewed or re-replaced to ensure all service endpoints, including the Update Manager STS endpoint, are correctly updated and synchronized.

Note: Before proceeding, ensure you have a fresh, powered-off (or consistent) snapshot of the vCenter Server Appliance (VCSA).

Method-1:

  1. Log in to the vCenter Server Appliance via SSH as root.

  2. Run the VMware Certificate Manager utility: /usr/lib/vmware-vmca/bin/certificate-manager

  3. Select Replacement Option:

    • If using VMCA-signed certificates, select Option 3 (Replace Machine SSL certificate with VMCA Certificate).

    • If using Custom Certificates, select Option 1 (Replace Machine SSL certificate with Custom Certificate) and provide the necessary certificate and key files when prompted.

  4. Provide the requested configuration details (IP, FQDN, Organization, etc.).

  5. Once the process completes, the Certificate Manager will attempt to restart all services. Verify that vmware-updatemgr is now running: service-control --status vmware-updatemgr

Method-2:

If the manual replacement via Certificate Manager fails to resolve the endpoint mismatch, use the vCert tool to identify and replace expired certificates as alternative.

Powered by Wolken Software