I successfully created a Let's Encrypt cert for my homelab vcenter server (6.7.0.43000). I installed VCSA less than a week ago and all else is working correctly. I uploaded the new cert to the VCSA appliance and ran the built in scripts in certificate manager to install it. However, I hit this error during that process and it rolled back to the original:
Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name
Performing rollback of Machine SSL cert
The hostname of the server (vcenter.mydomain.mycountry) is exactly the same as the cert and the SAN is also identical. I checked the original cert and it also has the same format domain name as the SAN. Everything is correct, old and new, but this keep failing. Rebooted the server a few times, same error.
Also, tried a wildcard cert but got the exact same error. I read VMWare does not like wildcards, fair enough, but I'm not seeing how this is failing.
Posted first on the Let's Encrypt forums and they say the cert and SAN are correct. So where is the obstacle?
Thanks.
Can you verify if there is a case sensitivity issue in the SAN field?
Also, can you attach the certificate manager log from /var/log/vmware/vmca/certificate-manager.log
thanks,
MS
Good Day,
All domain FQDN's on the host, vcenter and cert were entered lower case. I tried it again last night and during the install, the web client came up as valid with the new certificate then was lost during the roll back. So whatever the issue, the cert isn't it.
Here's the services I'm running.
Stopped:
vmcam vmware-imagebuilder vmware-mbcs vmware-netdumper vmware-postgres-archiver vmware-rbd-watchdog vmware-vcha vsan-dps
Running:
applmgmt lwsmd pschealth vmafdd vmcad vmdird vmdnsd vmonapi vmware-analytics vmware-certificatemanagement vmware-cis-license vmware-cm vmware-content-library vmware-eam vmware-perfcharts vmware-pod vmware-rhttpproxy vmware-sca vmware-sps vmware-statsmonitor vmware-sts-idmd vmware-stsd vmware-topologysvc vmware-updatemgr vmware-vapi-endpoint vmware-vmon vmware-vpostgres vmware-vpxd vmware-vpxd-svcs vmware-vsan-health vmware-vsm vsphere-client vsphere-ui
Here's the certificate-manager.log section. Underlined section is where I think the error is. It's the only error in the log.
2020-05-07T23:18:02.473Z INFO certificate-manager Running command : ['s', 'e', 'r', 'v', 'i', 'c', 'e', '-', 'c', 'o', 'n', 't', 'r', 'o', 'l', ' ', '-', '-', 's', 't', 'o', 'p', ' ', '-', '-', 'i', 'g', 'n', 'o', 'r', 'e', ' ', ' ', '-', '-', 'a', 'l', 'l', ' ', '-', '-', 'v', 'm', 'o', 'n', '-', 'p', 'r', 'o', 'f', 'i', 'l', 'e', ' ', 'A', 'L', '*****']
2020-05-07T23:18:02.473Z INFO certificate-manager please see service-control.log for service status
2020-05-07T23:18:25.883Z INFO certificate-manager Command executed successfully
2020-05-07T23:18:25.883Z INFO certificate-manager all services stopped successfully.
2020-05-07T23:18:25.883Z INFO certificate-manager None
2020-05-07T23:18:35.893Z INFO certificate-manager Running command :- service-control --start --all
2020-05-07T23:18:35.894Z INFO certificate-manager please see service-control.log for service status
Service-control failed. Error: Failed to start services in profile ALL. RC=2, stderr=Failed to start vpxd services. Error: Service crashed while starting
2020-05-07T23:24:07.606Z ERROR certificate-manager None
2020-05-07T23:24:07.606Z ERROR certificate-manager Error while starting services, please see service-control log for more details
2020-05-07T23:24:07.607Z ERROR certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
2020-05-07T23:24:07.607Z ERROR certificate-manager {
"resolution": null,
"detail": [
{
"localized": "An error occurred while invoking external command : 'None'",
"translatable": "An error occurred while invoking external command : '%(0)s'",
"args": [
"None"
],
"id": "install.ciscommon.command.errinvoke"
},
"Error while starting services, please see service-control log for more details"
],
"problemId": null,
"componentKey": null
}
2020-05-07T23:24:07.609Z INFO certificate-manager Performing rollback of Machine SSL Cert...
2020-05-07T23:24:07.609Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmafd/bin/vecs-cli', 'entry', 'getkey', '--store', 'BACKUP_STORE', '--alias', 'bkp___MACHINE_CERT', '--output', '/storage/certmanager/rollback/MACHINE_SSL_CERT_bkp.priv']
2020-05-07T23:24:07.619Z INFO certificate-manager Command output :-
Looks like vpxd service crashed. Could you check the old vpxd log (may be one number lesser to highest number) in the log under /var/log/vmware/vpxd
or upload the last 5 logs (highest number) to the link
thanks,
MS