MACHINE_SSL_CERT certificate in VECS is about to expire
search cancel

MACHINE_SSL_CERT certificate in VECS is about to expire

book

Article ID: 431128

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • The vCenter shows an alarm with the following message:
"MACHINE_SSL_CERT certificate in VECS is about to expire KB 385107"
  • __MACHINE_CERT certificate in the MACHINE_SSL_CERT store does not expire soon.
  • The TRUSTED_ROOTS store already contains the CA that sign the  __MACHINE_CERT and does not expire soon neither.

 

Environment

vCenter 8.x

Cause

  • The VECS MACHINE_SSL_CERT store stores the leaf certificate and its chain as a single entity.
-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxx <------------ Machine SSL certificate

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

xxxxxxxxxxxxxxxxxxxxxxxx <------------ CA certificate

-----END CERTIFICATE-----
  • The CA cert contained in the VECS MACHINE_SSL_CERT is about to expire.

This issue happens mostly when the CA has been reissued with a later expiration date and reimported in the TRUSTED_ROOTS store. But that does not automatically update the chain appended to the Machine SSL certificate.

Resolution

  • Take a snapshot of the vCenter.
  • Export the Machine SSL certificate.
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /tmp/machineSSL.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /tmp/machineSSL.key
  • Delete from the exported /tmp/machineSSL.crt the root chain iof the certificate (keep only the top one: the Machine SSL certificate itself).
vi /tmp/machineSSL.crt

-----BEGIN CERTIFICATE-----
xxxxxxxxxxxxxxxxxxxxxxxx <------------ Machine SSL certificate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- <----- Delete from BEGIN line ------|                     
xxxxxxxxxxxxxxxxxxxxxxxx                                        |
-----END CERTIFICATE----- <----- To END line              ------|
  • Delete the __MACHINE_CERT from the MACHINE_SSL_CERT store.
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT -y
  • Reimport the modified Machine SSL certificate.
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert /tmp/machineSSL.crt --key /tmp/machineSSL.key
  • Restart vCenter services
service-control --stop --all && service-control --start --all

Additional Information

Snapshot Best practices for vCenter Server Virtual Machines

 

Powered by Wolken Software