"ERROR certificate-manager 'lstool get' failed: 1" during Certificate Replacement on vCenter Server 6.x
Article ID: 317716
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
In the certificate-manager.log file, you see entries similar to:
In the certificate-manager.log file, you see entries similar to:
2017-04-21T17:11:53.316Z INFO certificate-manager Serial number before replacement: <old serial number>
2017-04-21T17:11:53.317Z INFO certificate-manager Serial number after replacement: <new serial number>
2017-04-21T17:11:53.317Z INFO certificate-manager Thumbprint before replacement: <old certificate thumbprint>
2017-04-21T17:11:53.317Z INFO certificate-manager Thumbprint after replacement: <new certificate thumbprint>
2017-04-21T17:11:53.325Z INFO certificate-manager MACHINE_SSL_CERT certificate replaced successfully. SerialNumber and Thumbprint changed.
2017-04-21T17:13:43.632Z ERROR certificate-manager Error while performing Cert Replacement operation, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
2017-04-21T17:13:43.632Z ERROR certificate-manager 'lstool get' failed: 1
2017-04-21T17:13:43.632Z INFO certificate-manager Performing rollback of Root Cert...
2017-04-21T17:13:43.632Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmca/bin/certool', '--rootca', '--cert', '/var/lib/vmware/vmca/root.cer.0', '--privkey', '/var/lib/vmware/vmca/privatekey.pem.0', '--server', 'localhost']
2017-04-21T17:13:43.832Z INFO certificate-manager Command output :-
Status : Success
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Cause
This issue occurs when there are third party extensions like nimble storage, veeambackupUI etc. with no valid certificates registered to vCenter Server.
Resolution
This issue is resolved in:
Workaround:
To work around this issue, remove the third party extension and retry replacing the certificates.
Note: Take a backup of the vCenter database before making any changes.
- vCenter Server 6.5 Update 2
- vCenter Server 6.7 Update 3b
Workaround:
To work around this issue, remove the third party extension and retry replacing the certificates.
Note: Take a backup of the vCenter database before making any changes.
- The service ID of the third party extension causing the error will be seen above the error message(as shown in the screenshot below). You can remove it from the vCenter MOB. For more information, see Cannot remove or disable unwanted plug-ins from vCenter Server and vCenter Server Appliance.
- Re-try the Certificate Replacement Operation. For more information see How to use vSphere 6.x Certificate Manager.
Additional Information
- VMware Skyline Health Diagnostics for vSphere - FAQ
- vCenter Server certificate validation error for external solutions in environments with Embedded Platform Services Controller
- vCenter Server or Platform Services Controller certificate validation error messages for external solutions in environments with a External Platform Services Controller
Feedback
Yes
No
Powered by
