vCenter Storage Policy Based Management Error Due to Expired Trusted Root Certificate
Article ID: 436829
Updated On:
Products
Issue/Introduction
Unable to add storage to a Virtual Machine (VM). The operation fails with a general system error involving Storage Policy Based Management (SPBM). Multiple critical vCenter services fail to start.
Symptoms/Keywords:
Error:
A general system error occurred: PBM error occurred during PreReconfigureCallback: No version for VMODL calls to <<last binding: <<TCP '127.0.0.1 : 38224'>, <TCP '127.0.0.1 : 1080'>> >, /pbm/sdk>Services in Stopped state:
vmcam,vmonapi,vmware-certificatemanagement,vmware-hvc,vmware-imagebuilder,vmware-netdumper,vmware-rbd-watchdog,vmware-sps,vmware-topologysvc,vmware-vcha,vmware-vpxd-svcs,vmware-vsan-health,vstats
Environment
vCenter 8.x
SDDC 5.2.x
Cause
The vCenter Machine SSL certificate and SDDC UI certificates were issued by a Trusted Root certificate that has expired (Authority Key Identifier XX:XX...XX:XX).
Resolution
Replace vCenter SSL Certificates:
Remove Expired Trusted Root Certificate:
Utilize the vCert tool as documented in KB 385107.
Navigate through: Option 3 (Manage Certificates) > Option 3 (CA Certificate in VMware Directory) > Option 2 (Remove CA certificates from the VMware Directory).
Update STS Certificate:
Use the vCert tool to replace the STS certificate with the newly generated Trusted Root.
Navigate through: Option 3 (Manage certificates) > Option 8 (STS certificates).
Update SDDC Trust Store:
Import the new Trusted Root certificate into the SDDC trust store using the automation script attached to KB 316056.
Re-issue vCenter Certificates in SDDC Manager:
In the SDDC Manager UI, select the vCenter component.
Select Generate CSR.
Select Generate Certificate for Embedded CA or Import for Custom 3rd party CA.
Select Install Certificates.
Additional Information
Feedback
