Sync Domain inventory fails - common.common_exceptions.VcenterApiException: Could not retrieve the VMCA root certificate for vCenter
search cancel

Sync Domain inventory fails - common.common_exceptions.VcenterApiException: Could not retrieve the VMCA root certificate for vCenter

book

Article ID: 429725

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

  • Sync Inventory from VCF Ops fails:

VCF Operations > Inventory > VCF Instances > VCF domain > Actions > Sync Inventory.

  • /var/log/vmware/vcf/domainmanager/brownfield/brownfield_id/vcf_brownfield.log:

 [YYYY-MM-DD HH:MM:SS] [INFO] vcenter_rest_api_helper:103: Retrieving VMCA root certificate of vCenter: vc_fqdn
 [YYYY-MM-DD HH:MM:SS] [ERROR] request_helper:31: Result status code from vCenter VMCA root certificate retrieval: 503
 [YYYY-MM-DD HH:MM:SS] [CRITICAL] vcf_brownfield:1002: Failed to sync domain domain_name
 Traceback (most recent call last):
  File "/opt/vmware/vcf/domainmanager/scripts/vcf-import-tool/vcf_brownfield.py", line 979, in sync_domain
    sync_domain_result: list[str] = sync.sync_domain()
                                    ^^^^^^^^^^^^^^^^^^
  File "/opt/vmware/vcf/domainmanager/scripts/vcf-import-tool/domain_sync/sync_domain.py", line 60, in sync_domain
    discovery_model, discovery_errors = self.__run_discovery(sso_remote_endpoint, domain_type, self.interactive,
                                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/vmware/vcf/domainmanager/scripts/vcf-import-tool/domain_sync/sync_domain.py", line 149, in __run_discovery
    discovery_output: DiscoveryModel = discovery.discover_domain(domain_type=domain_type, activating_status=False,
                                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/vmware/vcf/domainmanager/scripts/vcf-import-tool/domain_discovery/discover_domain.py", line 1415, in discover_domain
    vmca_pem, alias_to_certificate = self.discover_certificates(domain_type)
                                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/vmware/vcf/domainmanager/scripts/vcf-import-tool/domain_discovery/discover_domain.py", line 1237, in discover_certificates
    vmca_pem: str = self.vcenter_rest_helper.get_vmca_root_certificate()
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/opt/vmware/vcf/domainmanager/scripts/vcf-import-tool/api/vcenter/vcenter_rest_api_helper.py", line 110, in get_vmca_root_certificate
    raise VcenterApiException(ErrorMessages.CANNOT_FIND_VMCA_ROOT_CERT_FORMAT.format(self.vcenter_address))
common.common_exceptions.VcenterApiException: Could not retrieve the VMCA root certificate for vCenter: vc_fqdn

  • If you try to view the STS certs by navigating to the vCenter server UI > Administration > Certificate Management > STS Signing, you receive "Error occurred while fetching sts certificate: Service Unavailable"

Environment

VCF 9.x

Cause

vmware-trustmanagement service is in a stopped state in the vCenter server. 

 

Resolution

1. SSH to the vCenter server with root user.

2. Validate the status of the vmware-trustmanagement service to confirm it is in a stopped state.

service-control --status --all 

3. Start the service 

service-control --start vmware-trustmanagement

4. Restart the Sync Inventory task from the UI. 

Powered by Wolken Software