VMware Cloud Community
shadragon
Contributor
Contributor
‎05-07-2020 06:36 AM

VCSA 6.7 - Cannot Replace Certificate

I successfully created a Let's Encrypt cert for my homelab vcenter server (6.7.0.43000). I installed VCSA  less than a week ago and all else is working correctly.  I uploaded the new cert to the VCSA appliance and ran the built in scripts in certificate manager to install it. However, I hit this error during that process and it rolled back to the original:

Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name
Performing rollback of Machine SSL cert

The hostname of the server (vcenter.mydomain.mycountry) is exactly the same as the cert and the SAN is also identical. I checked the original cert and it also has the same format domain name as the SAN. Everything is correct, old and new, but this keep failing. Rebooted the server a few times, same error.

Also, tried a wildcard cert but got the exact same error. I read VMWare does not like wildcards, fair enough, but I'm not seeing how this is failing.

Posted first on the Let's Encrypt forums and they say the cert and SAN are correct. So where is the obstacle?

Thanks.

Reply
3 Replies
msripada
Virtuoso
Virtuoso
‎05-07-2020 12:03 PM

Can you verify if there is a case sensitivity issue in the SAN field?

VMware Knowledge Base

Also, can you attach the certificate manager log from /var/log/vmware/vmca/certificate-manager.log

thanks,

MS

Reply
0 Kudos
shadragon
Contributor
Contributor
‎05-08-2020 07:42 AM

Good Day,

All domain FQDN's on the host, vcenter and cert were entered lower case. I tried it again last night and during the install, the web client came up as valid with the new certificate then was lost during the roll back. So whatever the issue, the cert isn't it.

Here's the services I'm running.

Stopped:

vmcam vmware-imagebuilder vmware-mbcs vmware-netdumper vmware-postgres-archiver vmware-rbd-watchdog vmware-vcha vsan-dps

Running:

applmgmt lwsmd pschealth vmafdd vmcad vmdird vmdnsd vmonapi vmware-analytics vmware-certificatemanagement vmware-cis-license vmware-cm vmware-content-library vmware-eam vmware-perfcharts vmware-pod vmware-rhttpproxy vmware-sca vmware-sps vmware-statsmonitor vmware-sts-idmd vmware-stsd vmware-topologysvc vmware-updatemgr vmware-vapi-endpoint vmware-vmon vmware-vpostgres vmware-vpxd vmware-vpxd-svcs vmware-vsan-health vmware-vsm vsphere-client vsphere-ui

Here's the certificate-manager.log section. Underlined section is where I think the error is. It's the only error in the log.

2020-05-07T23:18:02.473Z INFO certificate-manager Running command : ['s', 'e', 'r', 'v', 'i', 'c', 'e', '-', 'c', 'o', 'n', 't', 'r', 'o', 'l', ' ', '-', '-', 's', 't', 'o', 'p', ' ', '-', '-', 'i', 'g', 'n', 'o', 'r', 'e', ' ', ' ', '-', '-', 'a', 'l', 'l', ' ', '-', '-', 'v', 'm', 'o', 'n', '-', 'p', 'r', 'o', 'f', 'i', 'l', 'e', ' ', 'A', 'L', '*****']

2020-05-07T23:18:02.473Z INFO certificate-manager please see service-control.log for service status

2020-05-07T23:18:25.883Z INFO certificate-manager Command executed successfully

2020-05-07T23:18:25.883Z INFO certificate-manager all services stopped successfully.

2020-05-07T23:18:25.883Z INFO certificate-manager None

2020-05-07T23:18:35.893Z INFO certificate-manager Running command :- service-control --start  --all

2020-05-07T23:18:35.894Z INFO certificate-manager please see service-control.log for service status

Service-control failed. Error: Failed to start services in profile ALL. RC=2, stderr=Failed to start vpxd services. Error: Service crashed while starting

2020-05-07T23:24:07.606Z ERROR certificate-manager None

2020-05-07T23:24:07.606Z ERROR certificate-manager Error while starting services, please see service-control log for more details

2020-05-07T23:24:07.607Z ERROR certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.

2020-05-07T23:24:07.607Z ERROR certificate-manager {

    "resolution": null,

    "detail": [

        {

            "localized": "An error occurred while invoking external command : 'None'",

            "translatable": "An error occurred while invoking external command : '%(0)s'",

            "args": [

                "None"

            ],

            "id": "install.ciscommon.command.errinvoke"

        },

        "Error while starting services, please see service-control log for more details"

    ],

    "problemId": null,

    "componentKey": null

}

2020-05-07T23:24:07.609Z INFO certificate-manager Performing rollback of Machine SSL Cert...

2020-05-07T23:24:07.609Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmafd/bin/vecs-cli', 'entry', 'getkey', '--store', 'BACKUP_STORE', '--alias', 'bkp___MACHINE_CERT', '--output', '/storage/certmanager/rollback/MACHINE_SSL_CERT_bkp.priv']

2020-05-07T23:24:07.619Z INFO certificate-manager Command output :-

Reply
0 Kudos
msripada
Virtuoso
Virtuoso
‎05-11-2020 06:58 AM

Looks like vpxd service crashed. Could you check the old vpxd log (may be one number lesser to highest number) in the log under /var/log/vmware/vpxd

or upload the last 5 logs (highest number) to the link

thanks,

MS

Reply