Error : "503 - OK" when trying to access vCenter Appliance Management Interface (VAMI)
search cancel

Error : "503 - OK" when trying to access vCenter Appliance Management Interface (VAMI)

book

Article ID: 432695

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

While attempting to access the vCenter Server Appliance Management Interface (VAMI), a "503 - OK" error is displayed on the UI.

Validating service health indicates that multiple critical services are in a stopped state:

root@vCenter [ ~ ]# service-control --status --all
Running:
 lookupsvc lwsmd observability pschealth vc-ws1a-broker vlcm vmafdd vmcad vmdird vmware-analytics vmware-cis-license vmware-content-library vmware-eam vmware-envoy vmware-envoy-hgw vmware-envoy-sidecar vmware-infraprofile vmware-pod vmware-postgres-archiver vmware-rhttpproxy vmware-sca vmware-stsd vmware-trustmanagement vmware-updatemgr vmware-vapi-endpoint vmware-vdtc vmware-vmon vmware-vpostgres vmware-vpxd vmware-vsm vsphere-ui vtsdb wcp
Stopped:
 applmgmt observability-vapi vmcam vmonapi vmware-certificateauthority vmware-certificatemanagement vmware-hvc vmware-imagebuilder vmware-netdumper vmware-perfcharts vmware-rbd-watchdog vmware-sps vmware-topologysvc vmware-vcha vmware-vpxd-svcs vmware-vsan-health vstats

Cause

The Machine SSL certificate on the vCenter Server has expired. An expired Machine SSL certificate prevents reverse proxy routing, which causes dependent vCenter services to fail to start and blocks access to the VAMI and vSphere UI.

Resolution

To resolve this issue, the expired certificates must be replaced using the vCert utility.

  1. Connect to the vCenter Server Appliance via SSH as the root user.

  2. Verify the stopped services by running the command: service-control --status --all

  3. Identify the expired certificates using the vecs-cli command: for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store : $store"; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After"; done

  4. Ensure an offline snapshot of the vCenter Server (and all linked nodes, if in Enhanced Linked Mode) is taken before proceeding Snapshot Best practices for vCenter Server Virtual Machines

  5. Download and upload the vCert tool on the appliance vCert - Scripted vCenter expired certificate replacement

  6. From the vCert menu, select the option to Reset all certificates with VMCA-signed certificates (Option 6).

  7. Verify that the services have started successfully and that the VAMI is accessible.

Powered by Wolken Software