Solved: Alarm: "Certificate status"

Ellerhold-IT · ‎06-05-2023

Hello,

we've got 3 vcenter 7 servers that are throwing the warning "Certificate status". Clicking on triggering event shows:

"Certitifacte OU=mID-....' from MACHINE_SSL_CERT expires on 2023-07-02 07:46:04.000"

These are the steps I did to resolve this unsuccessfully:

1. Administration -> Certificate Management

The __MACHINE_CERT showed this expiration date so I clicked renew.

After a reload of the GUI, the cert showed a new expiration date of 4th of june 2025.

Error still persists.

Google found this KB: https://kb.vmware.com/s/article/82332

2. SSH into vcenter and printed out the expiration dates of all certificates: sure enough there are some "user solution certificates" with the old expiration date.

I've ran "/usr/lib/vmware-vmca/bin/certificate-manager" with option 6 "Replace Solution user certificates with VMCA certificates".

Ran the command again to print the expiration dates ... only 2 expiring remaining!

Google found this KB: https://kb.vmware.com/s/article/88548

3. Copied the fix_encipherment_cert.sh and ran it. Voila only 1 expiring certificate remaining and the alarm is still there.

You can see the current status in the attached picture:

My questions:

I can safely ignore the certificate in the BACKUP_STORE, correct?
Is the certificate with the alias "vcenter-1.gluecksburg.lan" (it the FQDN of the vcenter server) used anywhere?
How can I replace it?
Why does the alarm still say that the MACHINE_CERT_SSL is expiring soon?
Why doesnt vcenter do all this stuff themselves?

mannharry · ‎06-06-2023

Hello

On checking the cert details :

I can safely ignore the certificate in the BACKUP_STORE, correct? - Yes but you can use this https://kb.vmware.com/s/article/82560?lang=en_US
Is the certificate with the alias "vcenter-1.gluecksburg.lan" (it the FQDN of the vCenter server) used anywhere? - Ideally this store (vcenter-1.gluecksburg.lan) should not be even present . Need to check on this
How can I replace it? - Machine SSL already looks good
Why does the alarm still say that the MACHINE_CERT_SSL is expiring soon? - Can you share screenshot of alarm
Why doesnt vcenter do all this stuff themselves? - There are public KB available to resolve certificate issues.

Can you take snapshot on VC and run the https://flings.vmware.com/vsphere-diagnostic-tool#summary vsphere diagnostic tool to get the clear output of whats error .

Regards

Harry

View solution in original post

mannharry · ‎06-06-2023

Hello

On checking the cert details :

I can safely ignore the certificate in the BACKUP_STORE, correct? - Yes but you can use this https://kb.vmware.com/s/article/82560?lang=en_US
Is the certificate with the alias "vcenter-1.gluecksburg.lan" (it the FQDN of the vCenter server) used anywhere? - Ideally this store (vcenter-1.gluecksburg.lan) should not be even present . Need to check on this
How can I replace it? - Machine SSL already looks good
Why does the alarm still say that the MACHINE_CERT_SSL is expiring soon? - Can you share screenshot of alarm
Why doesnt vcenter do all this stuff themselves? - There are public KB available to resolve certificate issues.

Can you take snapshot on VC and run the https://flings.vmware.com/vsphere-diagnostic-tool#summary vsphere diagnostic tool to get the clear output of whats error .

Regards

Harry

Ellerhold-IT · ‎06-06-2023

Hello Harry,

thanks for your help!

The steps in https://kb.vmware.com/s/article/82560?lang=en_US were the correct KB!

Ive ran the script and now the BACKUP_STORES are empty. The alarm is gone too.

EDIT: the FQDN-store certificate is still there, but seems like it wont get used. The certificate displayed in the browser is a different one with the correct expiration date.

Have a nice day!

All

Alarm: "Certificate status"