Highlighted
Enthusiast
Enthusiast

vCenter 7 Lifecycle Manager Status 404 and Errors when Using Externally Signed Machine SSL Cert

I upgraded to vSphere 7 in my lab environment and noticed a strange issue that causes Lifecycle Manager not to load and work within vCenter v7.

I was coming from a VCSA 6.7 install which had an externally signed SSL cert added to replace the Machine Cert in vCenter that way when I load vCenter in web browser, it doesn't complain about a self-signed certificate. Everything worked great.

When I updated to VCSA 7, the update wizard told me I must reset the certificates back to VCMA certs since something about trust blah blah blah. I followed the KB article it provided which brough my 6.7 back to using vCenter generated self-signed cert. I retried the update to v7 and it worked fine. After upgrade I replaced the Machine SSL certs with my externally signed certs (from Namecheap, domain specific, not wildcard) and vCenter v7 said it was changed successfully and it rebooted the appliance. I can now login to Web UI without annoying warnings, great.

However, if I click "Lifecycle Manager" in vCenter v7, I get a red bar that pops up over that section that loads that says Status 404 - Error and list a URL that has to do with Lifecycle Manager I guess. And below, nothing loads in Lifecycle Manager, clicking any of the buttons doesn't do anything, or just produces more errors like "An unexpected error has occurred". Similar result if I click "Updates" tab on a host of cluster. Nothing to do with LM loads or works. everything else in VC seems to work fine, including proper serving of the signed SSL cert in my web browser.

If I go back to Certificate Management and change the Machine SSL cert back to one generated by vCenter as self-signed, after reboot, Lifecycle Manager works again.

Any ideas? Obviously LM doesn't like something about the externally signed cert even though it works everywhere else.

0 Kudos
4 Replies
Highlighted
VMware Employee
VMware Employee

Hi Ctucci,

I would guess that the lookup service is not beeing updated.
Could you try to either replace the Certifcate Using the certificate-manager over SSH or Update the Lookup Service.

https://ben-on-vms.com/posts/vbrownbag-a-tale-of-trust/

// Ben

0 Kudos
Highlighted
Enthusiast
Enthusiast

Hello,

If I launch certificate manager from command line on the VCSA and select Option 1 (which I think is what I want here), it says the following, but I am not running vCenter in HA... Only HA is enabled for VMs for my vSAN Cluster.

Certificate Manager tool do not support vCenter HA systems
INFO:root:Certificate Manager tool do not support vCenter HA systems

0 Kudos
Highlighted
VMware Employee
VMware Employee

Interesting, would you be able to provide a log bundle?

0 Kudos
Highlighted
Enthusiast
Enthusiast

I had previously switched back to VMCA self-signed certs so I could at least make LM work until I found a fix. Went to go put back on my external signed certs to get you logs but decided to put them back on by generating a CSR from vCenter, then using that CSR to get signed certs from namecheap again and add those in from Web UI. It only asked for signed cert and ca bundle since private key is already in VCSA I guess because it generated the CSR. It rebooted VCSA services and now LM works with the external signed certs, at least so far I haven't gotten any errors.

I am guessing the problem has to do with my original certs having been made completely independent of vCenter, using openssl. Which seems like a bug to me, since those certs worked fine with 6.7 and there is no indication that certs have to be first generated from vCenter, especially because there is an option to import certs like that (it asks for signed cert, ca bundle, and private key).

0 Kudos