I am using SSL update tools to change the vCenter 5.5 SSL certificate.
Changing the SSO certificate was successful, however I am having problem with the inventory services.
Error message below.
==================================================================
4. Update the Inventory Service SSL Certificate
1. Update the Inventory Service Trust to Single Sign-On
2. Update the Inventory Service Trust to vCenter Server
3. Update the Inventory Service SSL Certificate
4. Rollback to the previous Inventory Service SSL Certificate
5. Return to the main menu to update other services
The chosen service is: 3
[Wed 12/03/2014 - 13:49:12.88]: The services that are restarted as a part of thi
s operation are: vCenter Inventory Service.
Enter the location to the new Inventory Service SSL chain: C:\certs\InventorySer
vice\chain.pem
Enter the location to the new Inventory Service private key: C:\certs\InventoryS
ervice\rui-orig.key
Enter the Single Sign-On Administrator user (default value is: administrator@vsp
here.local):
Enter the Single Sign-On Administrator password (will not be echoed):
[.] The supplied certificate chain is valid.
[Wed 12/03/2014 - 13:49:44.41]: Last operation update Inventory Service SSL cert
ificate failed :
[Wed 12/03/2014 - 13:49:44.42]: Cannot determine if Inventory Service is registe
red with Single Sign-On - errorlevel is 1
=================================================================
Problem solved, as the vCenter my environment share the same SSO domain is necessáio that SSL certificcado the primary server is changed.
Hi there,
I assume you are following the vmware ssl-updater.bat script from looking at the screenshot. Have you run the planner to give you the exact steps to follow when updating everything?
Are you updating all certificates? When you update the SSO and vCenter certificates, you must also then update the Inventory Service trust to single sign on and vCenter. (http://i.imgur.com/mXFBxph.png) - see option 2.
As per your process copied out from the ssl-updater.bat, have you followed options 1 and 2:
1. Update the Inventory Service Trust to Single Sign-On
2. Update the Inventory Service Trust to vCenter Server
???
These must be done before you can update the Inventory service, as part of your planned upgrade - See option 1 on this screenshot.
I am happy to help if you have any questions, I had to do this for my work place recently and have fully documented the entire process!!
Regards,
Ryan
Ryan,
Thank you for help, however I'm following exetamente the plan that is provided by the tool.
I have problem during the change of certificate Inventory Services.
Hi,
So you have updated the trusts with Inventory service against SSO and vCenter before installing the new certificate?
Can you confirm if all the services are installed on the same server?
Ryan,
all services installed on the same server.
Follows the plan I'm using, in your post you are stating what should be done the trust between the SSO and vCenter skipping step 3 and step 4 is doing this?
1. Go to the machine with Single Sign-On installed and - Update the Single Sign-
On SSL certificate.
2. Go to the machine with Inventory Service installed and - Update Inventory Ser
vice trust to Single Sign-On.
3. Go to the machine with Inventory Service installed and - Update the Inventory
Service SSL certificate.
4. Go to the machine with vCenter Server installed and - Update vCenter Server t
rust to Single Sign-On.
5. Go to the machine with vCenter Server installed and - Update the vCenter Serv
er SSL certificate.
6. Go to the machine with vCenter Server installed and - Update vCenter Server t
rust to Inventory Service.
7. Go to the machine with Inventory Service installed and - Update the Inventory
Service trust to vCenter Server.
8. Go to the machine with vCenter Orchestrator installed and - Update vCenter Or
chestrator trust to Single Sign-On.
9. Go to the machine with vCenter Orchestrator installed and - Update vCenter Or
chestrator trust to vCenter Server.
10. Go to the machine with vCenter Orchestrator installed and - Update the vCent
er Orchestrator SSL certificate.
11. Go to the machine with vSphere Web Client installed and - Update vSphere Web
Client trust to Single Sign-On.
12. Go to the machine with vSphere Web Client installed and - Update vSphere Web
Client trust to Inventory Service.
13. Go to the machine with vSphere Web Client installed and - Update vSphere Web
Client trust to vCenter Server.
14. Go to the machine with vSphere Web Client installed and - Update the vSphere
Web Client SSL certificate.
15. Go to the machine with Log Browser installed and - Update the Log Browser tr
ust to Single Sign-On.
16. Go to the machine with Log Browser installed and - Update the Log Browser SS
L certificate.
17. Go to the machine with vSphere Update Manager installed and - Update vSphere
Update Manager trust to vCenter Server.
Hi,
I'm a bit confused with what you are asking?
The screenshot I posted, was a plan that I had for updating all certificates: SSO, Inventory Service, vCenter, Orchestrator, Web Client and Log Browser.
Did you generate a plan using the tool? If so, can you post a picture of it? (Like mine?)
You must follow all the steps as per your plan for it to work. It seems to me that you might have updated your SSO certificate and NOT followed step 2 "Update the Inventory service to trust Single Sign on".
Ryan,
I'm just following the plan created by the tool. (ssl certificate updater tool)
the error is displayed when I perform step 3.
example.
1. Go to the machine with Single Sign-On and installed - Update the Single Sign-
On SSL certificate.
Status: successful
2. Go to the machine with Inventory Service installed and - Update Inventory Being
vice trust to Single Sign-On.
Status: successful
3. Go to the machine with Inventory Service installed and - Update the Inventory
Service SSL certificate.
Status: Failed.
Hi,
When you follow these options:
4. Update the Inventory Service SSL Certificate
1. Update the Inventory Service Trust to Single Sign-On
2. Update the Inventory Service Trust to vCenter Server
3. Update the Inventory Service SSL Certificate
4. Rollback to the previous Inventory Service SSL Certificate
5. Return to the main menu to update other services
When you follow option "1 - Update the Inventory Service Trust to Single Sign-On" does that work correctly?
If you are having trouble with the automation tool, perhaps follow the manual process of updating the Inventory Server certificate following this KB?
Ryan,
update the information, my environment shared same domain single sign-on that could be a problem in exchange for the certificate of vCenter?
Problem solved, as the vCenter my environment share the same SSO domain is necessáio that SSL certificcado the primary server is changed.