Expired vCenter certificates, how to get back in the game.

Posted on by Kristof Asaert

You can tell it’s my first year I have a homelab. I never thought of expiring certificates nor did I see any messages in the vCenter console about certificates expiring.

My issue started with this “HTTP Status 500 – Internal Server Error”

Now, how can you check the status of your certificates? You can run this command:
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;


When I executed it we were the 8th of february 2023, so you can see that my machine SSL certificate was expired.

You can replace your expired certificate by executing:
/usr/lib/vmware-vmca/bin/certificate-manager

Because I only need to replace my Machine SSL certificate, I choose option 3.
In my case it’s a self-signed certificated so I just accepted the default values.
Only for “Hostname” & “VMCA Name” I’ve filled in the value of my vCenter.

Then when everything is filled in just press Y to continue the process.

Unfortunately it ended with an error while starting the services again.

I checked the certificate-manager log but didn’t find much more information over there
less /var/log/vmware/vmcad/certificate-manager.log

And also the service-control log didn’t give me much more info
less /storage/log/vmware/cloudvm/service-control.log

Tried to restart the services but that didn’t work either
service-control --start --all

Then I decided to to a Reset of all Certificates by starting the certificate manager again but now I choose option 8.

After a reboot it was still not ok, getting the status of all services showed me that vshpere-ui wasn’t started.
service-control --status --all

There is a tool from VMware called lsdoctor you can use to fix trust issues with certificates => kb80469
Upload it to your vCenter and unzip it, then run:
python lsdoctor.py -l

As you can see in the printscreen he found some SSL trust mismatches and he told me to execute:
python lsdoctor.py -t

Once the command was executed, I was able to start my services again.
And I had again access to my vCenter 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s