ctucci
Enthusiast
Enthusiast

vCenter 7 Lifecycle Manager Status 404 and Errors when Using Externally Signed Machine SSL Cert

I upgraded to vSphere 7 in my lab environment and noticed a strange issue that causes Lifecycle Manager not to load and work within vCenter v7.

I was coming from a VCSA 6.7 install which had an externally signed SSL cert added to replace the Machine Cert in vCenter that way when I load vCenter in web browser, it doesn't complain about a self-signed certificate. Everything worked great.

When I updated to VCSA 7, the update wizard told me I must reset the certificates back to VCMA certs since something about trust blah blah blah. I followed the KB article it provided which brough my 6.7 back to using vCenter generated self-signed cert. I retried the update to v7 and it worked fine. After upgrade I replaced the Machine SSL certs with my externally signed certs (from Namecheap, domain specific, not wildcard) and vCenter v7 said it was changed successfully and it rebooted the appliance. I can now login to Web UI without annoying warnings, great.

However, if I click "Lifecycle Manager" in vCenter v7, I get a red bar that pops up over that section that loads that says Status 404 - Error and list a URL that has to do with Lifecycle Manager I guess. And below, nothing loads in Lifecycle Manager, clicking any of the buttons doesn't do anything, or just produces more errors like "An unexpected error has occurred". Similar result if I click "Updates" tab on a host of cluster. Nothing to do with LM loads or works. everything else in VC seems to work fine, including proper serving of the signed SSL cert in my web browser.

If I go back to Certificate Management and change the Machine SSL cert back to one generated by vCenter as self-signed, after reboot, Lifecycle Manager works again.

Any ideas? Obviously LM doesn't like something about the externally signed cert even though it works everywhere else.

0 Kudos
8 Replies
BenediktFrenzel
VMware Employee
VMware Employee

Hi Ctucci,

I would guess that the lookup service is not beeing updated.
Could you try to either replace the Certifcate Using the certificate-manager over SSH or Update the Lookup Service.

https://ben-on-vms.com/posts/vbrownbag-a-tale-of-trust/

// Ben

0 Kudos
ctucci
Enthusiast
Enthusiast

Hello,

If I launch certificate manager from command line on the VCSA and select Option 1 (which I think is what I want here), it says the following, but I am not running vCenter in HA... Only HA is enabled for VMs for my vSAN Cluster.

Certificate Manager tool do not support vCenter HA systems
INFO:root:Certificate Manager tool do not support vCenter HA systems

0 Kudos
BenediktFrenzel
VMware Employee
VMware Employee

Interesting, would you be able to provide a log bundle?

0 Kudos
ctucci
Enthusiast
Enthusiast

I had previously switched back to VMCA self-signed certs so I could at least make LM work until I found a fix. Went to go put back on my external signed certs to get you logs but decided to put them back on by generating a CSR from vCenter, then using that CSR to get signed certs from namecheap again and add those in from Web UI. It only asked for signed cert and ca bundle since private key is already in VCSA I guess because it generated the CSR. It rebooted VCSA services and now LM works with the external signed certs, at least so far I haven't gotten any errors.

I am guessing the problem has to do with my original certs having been made completely independent of vCenter, using openssl. Which seems like a bug to me, since those certs worked fine with 6.7 and there is no indication that certs have to be first generated from vCenter, especially because there is an option to import certs like that (it asks for signed cert, ca bundle, and private key).

0 Kudos
sgloeckle
Contributor
Contributor

We're using customized certificates and VCSA appliance is running as SUB-CA (VMCA).

After Upgrade to 7.0 Lifecycle Manager comes up with "Status 404"  and the first to tabs are named vum.home.tabs.home and vum.home.tabs.monitor.

I've resetted VUM DB but with no effect on that issue.

I went back to the original VCSA (6.7) and replaced all certificates with self-signed certificates and made the upgrade to 7.0 again

-> same issue -> no cure so far

 

any good advice someone?

 

cheers, Stefan

0 Kudos
RDowling00
Contributor
Contributor

I was getting similar issues today after lab upgrade and for the first time ever... it was browser cache in my case:

https://www.virtual-allan.com/vlcm-error-404-after-upgrading-to-vcenter-7-0-1d/

 

Rob

0 Kudos
sgloeckle
Contributor
Contributor

Hi Rob,

thanks!!! That indeed was the trick I needed!

 

cheers, Stefan

0 Kudos
ninjabrum
Contributor
Contributor

Clearing the browser cache did the trick for me as well.  Thanks for the tip.

0 Kudos