vCenter Server dir-cli unpublish fails with Administrative limit exceeded and ERROR_BAD_FORMAT (11)
search cancel

vCenter Server dir-cli unpublish fails with Administrative limit exceeded and ERROR_BAD_FORMAT (11)

book

Article ID: 437070

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

vCenter Server Appliance (VCSA) reports a discrepancy between the VMware Directory Service (vmdir) and the VMware Endpoint Certificate Store (VECS). Attempting to remove stale certificates using standard dir-cli commands results in the following errors:

  • Administrative limit exceeded

  • ERROR_BAD_FORMAT (11)

  • dir-cli trustedcert list displays more certificates than vecs-cli entry list --store TRUSTED_ROOTS.

  • Stale certificates reside in the cn=Certificate-Authorities,cn=Configuration container.

Environment

VMware vCenter Server 7.x

VMware vCenter Server 8.x

Cause

Stale root certificate entries exist within the VMware Directory Service (LDAP) database but are absent from the local VECS store. Standard dir-cli unpublish commands fail because the objects are located in the cn=Certificate-Authorities,cn=Configuration container rather than the expected TrustedRootStore path.

Resolution

 

  1. Verify Discrepancy: Compare the LDAP database against the local VECS store:

    • LDAP: /usr/lib/vmware-vmafd/bin/dir-cli trustedcert list

    • VECS: /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS

  2. Identify Exact Distinguished Name (DN): Perform a targeted search using the Certificate ID (CN) identified in Step 1:

    /opt/likewise/bin/ldapsearch -h localhost -p 389 -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W -b "dc=vsphere,dc=local" "cn=<CERT_ID>"

    Confirm the entry path is: cn=<CERT_ID>,cn=Certificate-Authorities,cn=Configuration,dc=vsphere,dc=local

  3. Execute Direct LDAP Deletion: Use ldapdelete to bypass standard wrappers and remove the stale object:

    /opt/likewise/bin/ldapdelete -h localhost -p 389 -D "cn=Administrator,cn=Users,dc=vsphere,dc=local" -W "cn=<CERT_ID>,cn=Certificate-Authorities,cn=Configuration,dc=vsphere,dc=local"

  4. Validation and Service Refresh:

    • Verify the entry is removed: /usr/lib/vmware-vmafd/bin/dir-cli trustedcert list

    • Check STS service health: service-control --status vmware-stsd

    • Restart the Security Token Service to clear cached data: service-control --restart vmware-stsd

 

Additional Information

 

  • The Administrative limit exceeded error in vmdir often serves as a proxy for Search Match Not Found when standard tools cannot resolve the object path.

  • Always perform a file-based backup or offline snapshot of all vCenter Server nodes in the SSO domain before direct LDAP modifications.

 

Powered by Wolken Software