"Operation failed, performing automatic rollback" error when Certificate Manager fails at 0% replacing certificates
search cancel

"Operation failed, performing automatic rollback" error when Certificate Manager fails at 0% replacing certificates

book

Article ID: 315406

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

 

  • Replacing the Machine SSL Certificate or Solution User Certificates with Custom CA Certificates fails at 0%.
  • The vSphere 6.0 Certificate Manager displays an error similar to:

Status : 0% Completed [Publishing Root cert...]

Status : 0% Completed [Operation failed, performing automatic rollback]

Error while replacing Machine SSL Cert, please see C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log
for more information. 

Performing rollback of Machine SSL Cert... 

  • The certificate-manager.log file indicates that the dir-cli command to publish the trusted cert failed and you see entries similar to:

    [YYYY-MM-DDTHH:MM] INFO certificate-manager</time> Running command : ['C:\\Program Files\\VMware\\vCenter Server\\vmafdd\\dir-cli.exe', 'trustedcert', 'publish', '--cert', 'C:\\certs\\machineSSL\\cachain.cer', '--password', '*****']
    [YYYY-MM-DDTHH:MM] INFO certificate-manager Command output :-
    [YYYY-MM-DDTHH:MM] ERROR certificate-manager
    [YYYY-MM-DDTHH:MM] ERROR certificate-manager Error while replacing Machine SSL Cert, please see C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log for more information.
    [YYYY-MM-DDTHH:MM] ERROR certificate-manager {
    "resolution": null,
    "detail": [
    {
    "args": [
    ""
    ],
    "id": "install.ciscommon.command.errinvoke",
    "localized": "An error occurred while invoking external command : ''",
    "translatable": "An error occurred while invoking external command : '%(0)s'"
    },
    "Error while publishing cert using dir-cli."
    </time></time></time></time>],
    "componentKey": null,
    "problemId": null
    }

    Note:
    • The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
    • The certificate-manager.log file is located in these locations:
      • Windows vCenter Server 6.x: C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log
      • vCenter Server Appiance 6.x: /var/log/vmware/vmcad/certificate-manager.log



Environment

VMware vCenter Server 6.0.x

VMware vCenter Server 6.5.x

VMware vCenter Server 6.7.x

Cause

All Intermediate(s) and the Root CA certificates must be published into the trusted store in VMware Endpoint Certificate Store for the script to complete.

 
Note: This issue can also be caused by using non-Base64 certificates. For more information on creating certificates, see Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (2112009).

Resolution

This issue is resolved in VMware vCenter Server 6.0.0b, available at Broadcom Support.

Process to manually publish the full chain to the VMware Endpoint Certificate Store:
 
To work around this issue, manually publish the full chain to the VMware Endpoint Certificate Store:
 
For Windows vCenter Server 6.x:
  1. Click Start > Run, type cmd and press Enter.
  2. Add the certificate to the VMware Endpoint Certificate Store with this command:

    "C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe" trustedcert publish --chain --cert path_to_chain.cer

    Note: The path_to_chain.cer is the complete path to the full chain of Intermediate CA(s) and Root CA.
     
  3. Enter the password for [email protected] when prompted.
  4. Run the certificate replacement option again.
  5. When the Certificate Manager asks for the signing certificate provide just the Root CA certificate and not the full chain of CA certificates.

    For example:

    Please provide the signing certificate of the Machine SSL certificate
    File : "C:\certs\machineSSL\root_ca.cer"

For vCenter Server Appliance 6.x:

  1. If the certificates are not currently on the vCenter Server Appliance copy them to a directory on the file system such as /root using a utility such as WinSCP or Filezilla.

    Note: VMware does not endorse or recommend any particular third-party utility, nor is the list above meant to be exhaustive.
     
  2. Connect to the vCenter Server Appliance through the console and press ALT+F1.
  3. Log in using the root user and password.
  4. Type shell.set --enabled true and press Enter.
  5. Type shell and press Enter.
  6. Add the certificate to the VMware Endpoint Certificate Store with this command:

    /usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --chain --cert path_to_chain.cer
     
  7. Enter the password for [email protected] when prompted.
  8. Run the certificate replacement option again.
  9. When the Certificate Manager asks for the signing certificate provide just the Root CA certificate and not the full chain of CA certificates.
For example:
Please provide the signing certificate of the Machine SSL certificate
File : "/root/root_ca.cer"



Additional Information

Powered by Wolken Software