Tuesday 31 May 2016

Error while performing Cert Replacement operation for vCenter 6

While replacing SSL certificates of vCenter 6, Certificate replacement may fail and VMCA rollback the certificates to old SSL certificates.

See the complete process of replacing SSL certificates of vSphere 6 using VMCA.

Replacing SSL Certificates VMware vCenter 6.0 Update 2.

In this Post am documenting common issues which you may encounter while performing SSL certificates replacement.

1. See this KB for list of errors which you may encounter.

https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2144086&sliceId=1&docTypeID=DT_KB_1_1&dialogID=103792968&stateId=1%200%20103842854

To avoid issues with vCenter services, make sure you provide unique organization unit name while creating Certificate configuration file.

You can use below Organization Unit name for SSL certificates.

MACHINE_SSL_CERT.cfg   :  Root
machine.cfg                        :  Machine
vsphere-webclient.cfg       :  WebClient
vpxd.cfg                              :  VPXD
vpxd-extension.cfg            :  VPXD-EXT
certool.cfg                          :  IT-VMCA

2. Error while performing Cert Replacement operation, please see /var/log/vmware/vmcad/certificate-manager.log for more information.

You can see below Error message in /var/log/vmware/vmcad/certificate-manager.log

2016-05-28T22:12:54.141Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmca/bin/certool', '--server=localhost', '--gencert', '--privkey=/storage/certmanager/vpxd.priv', '--cert=/storage/certmanager/vpxd.crt', '--config=/var/tmp/vmware/vpxd.cfg']
2016-05-28T22:12:54.153Z INFO certificate-manager Command output :-
Using config file : /var/tmp/vmware/vpxd.cfg

2016-05-28T22:12:54.153Z ERROR certificate-manager Using config file : /var/tmp/vmware/vpxd.cfg

2016-05-28T22:12:54.153Z ERROR certificate-manager Error while performing Cert Replacement operation, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
2016-05-28T22:12:54.153Z ERROR certificate-manager {
    "resolution": null,
    "detail": [
        {
            "args": [
                "Using config file : /var/tmp/vmware/vpxd.cfg\n"
            ],
            "id": "install.ciscommon.command.errinvoke",
            "localized": "An error occurred while invoking external command : 'Using config file : /var/tmp/vmware/vpxd.cfg\n'",
            "translatable": "An error occurred while invoking external command : '%(0)s'"
        },
        "Error in generating cert for store vpxd"
    ],
    "componentKey": null,
    "problemId": null
}

 

You will receive this error if your SSL certificate configuration file is incorrect and then VMCA will rollback certificates.

Solution

Login to vCSA using SSH with root user.

Go to /var/tmp/vmware directory, Create temporary directory and move all .cfg configuration files to temp directory, later on you can remove these files.

#cd /var/tmp/vmware

#mkdir temp

#mv *.cfg temp

Now run the certificate-manager command once again and start Certificate replacement process.

Follow Replacing SSL Certificates VMware vCenter 6.0 Update 2 to replace SSL certificates.

Thanks…!

-

1 comment:

  1. Anonymous8 July 2019 at 15:46

    It might be me but the steps are not clear:
    1 Login to vCSA using SSH with root user
    2 Go to /var/tmp/vmware
    3 Create temporary directory and move all .cfg configuration files to temp directory.

    At this point I am lost, there are not .cfg files on /var/tmp/vmware, which files are you talking about?

    ReplyDelete

Subscribe to: Post Comments (Atom)