”Failed to update ther certificate for VSAN HEALTH” warning displayed after renew Machine SSL Certificate from vSphere Client
search cancel

”Failed to update ther certificate for VSAN HEALTH” warning displayed after renew Machine SSL Certificate from vSphere Client

book

Article ID: 436968

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • After updating the Machine SSL certificate via the vSphere Client  in vCenter Server 8.x, a warning or alarm is triggered:

  • In /var/log/vmware/vpxd-svcs/vpxd-svcs.log, the following error is observed:
 java.net.ConnectException: Connection refused (Connection refused) Failed to notify VSAN_HEALTH at http://localhost:8006/vsanHealth/refresh-certificates

 

  • The vmware-vsan-health service is in a Stopped state on the vCenter Server Appliance (vCSA).

Environment

VMware vCenter Server 8.x

Cause

During the Machine SSL certificate replacement process, the vCenter Certificate Management service attempts to notify all registered extensions to refresh their certificates.

The vSAN Health extension listens for this notification on port 8006.

If the vmware-vsan-health service is intentionally or accidentally stopped, it cannot acknowledge the notification. This results in a "Connection refused" error and the subsequent vCenter alarm

Resolution

If the vSAN Health service is intentionally stopped in your environment (e.g., vSAN is not in use), this warning is expected behavior and can be safely managed as followe:

Acknowledge and Clear Alarms: You may manually acknowledge and clear the certificate replacement alarms in the vSphere Client.


To avoid these warnings during future certificate updates:

  • Temporarily start the vmware-vsan-health service before initiating the Machine SSL certificate replacement.
  • The service can be safely stopped again once the update is complete and the alarms have cleared.
Powered by Wolken Software