Solved: Re: Updating vCenter Server 5.1 SSL certificate - ...

ryul · ‎04-26-2013

Hello everyone,

we setup a new Windows Server 2008 R2 as a vCenter Server 5.1

I'm now trying to install new certificates for all vCenter parts (server, inventory service, web client, ...) with Windows CA.

I'm stuck at updating the vCenter Server SSL certificate with the "SSL Certificate Automation Tool".

It's part 5. at this guide (5. in the cmd screenshot):

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=204160...

All credentials are correct, but I'm getting always the same error (vc-update-ssl.log):

[26.04.2013 - 10:42:54,99]: Copying the new certificates and keys to "C:\ProgramData\VMware\VMware VirtualCenter\SSL..."

[26.04.2013 - 10:42:55,00]: Creating the PKCS certificate file...

Could not reload vCenter SSL Certificates

[26.04.2013 - 10:42:56,22]: ""Cannot reload the vCenter Server SSL certificates. The certificate might not be unique.""

[26.04.2013 - 10:42:56,24]: Deleting the new certificates and keys...

[26.04.2013 - 10:42:56,25]: Restoring the original certificates and keys...

1 Datei(en) kopiert.

[26.04.2013 - 10:42:56,25]: Attempting rollback...

Could not reload vCenter SSL Certificates

[26.04.2013 - 10:42:57,08]: ""Cannot reload the vCenter Server SSL certificates. The certificate might not be unique.""

[26.04.2013 - 10:42:57,10]: Deleting the new certificates and keys...

[26.04.2013 - 10:42:57,10]: Restoring the original certificates and keys...

1 Datei(en) kopiert.

[26.04.2013 - 10:42:57,13]: The vCenter certificate update failed.

So I tried the manual way, like it's mentioned in this guide:

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&e...

I'm stucked there also, getting a "Method Invocation Result: vpx.fault.SecurityConfigFault" after "Invoke Method":

Go to https://localhost/mob/?moid=vpxd-securitymanager&vmodl=1 on the vCenter Server and load the certificates for the configuration by using the Managed Object Browser.
Click continue if you are prompted with a certificate warning.
Enter a vCenter Server administrator username and password when prompted.
Click reloadSslCertificate.
Click Invoke Method. If successful, the window shows this message: Method Invocation Result: void.

I tried to fix that, but there is no really solution for this:

http://communities.vmware.com/thread/429035

Sooooo, I need help for this issue :smileyconfused:

ksattler · ‎05-29-2013

SOLVED!

Steps:

1. Stop vCenter service

2. Look for your ID in LS_ServiceID.prop in folder C:\ProgramData\VMware\VMware VirtualCenter

3. Copy this ID (e.g. {C4672589-9258-42B1-90E2-1EF268BBD402}:5 )

4. Edit your vpxd.cfg in the same folder and replace

<serviceId>vCenterService</serviceId>

with

5. Start vCenter Service

Then the SSL automation tool works!

You don't need to revert the changes.

View solution in original post

Sreejesh_D · ‎04-26-2013

I am sure you would have read this many times. Incase if you missed by any chance, ensure both points are considered.

The new certificates already exist and you know the location of the new certificates. For increased security, generate each certificate and private key on the machine where it will be used. The new SSL certificate for each vSphere component must have a unique base DN.

Updating the vCenter Server Certificate may fail with an error if multiple service IDs exist for the lookup service

When updating the certificate for vCenter Server using the SSL Certificate Automation Tool, the step may fail with the error:

The certificates that's provided as input may not be a unique certificate

This may be caused by vpxd having multiple service IDs for the Lookup service in the vpxd.cfg file.

Ethan44 · ‎04-26-2013

Hi

Welcome to the communities.

Here is the link which will hep you to resolve this problem

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=201549....

""a journey of a thousand miles starts with a single step.".

ryul · ‎04-26-2013

Hello yezdi,

yes, I read this many times and it's doesn't match for me.

I don't have multiple lookup service ID entries in the vpxd.cfg.

Everything seems to be alright in there.

ryul · ‎04-26-2013

Hello Ethan44,

well, we got certificates on the ESXi hosts, but I don't know how long they will last or if they are configured correctly (wasn't done by me).

Are the ESXi hosts really the source of my issue with the vCenter server certificates?

garfield2013 · ‎05-10-2013

i have the same problem and i just got new certificates for the hosts, but i didn't help..also trying with disconnected and removed hosts i still get the error that the certificate is not unique - all services except vCenterServer worked fine.

I already checked and compared all certificates and they look fine.

Is there any solution?

ksattler · ‎05-28-2013

I have the same problem. Have you solved it?

ryul · ‎05-28-2013

No, I'm still stuck here.

garfield2013 · ‎05-29-2013

Same here, still no solution! Installed a complete new machine with Server 2008 R2 + SQL Server 2008 R2 + vCenter Server 5.1 U1 -> no chance!

ryul · ‎05-29-2013

We did the same and this issue is really frustrating...

ksattler · ‎05-29-2013

SOLVED!

Steps:

1. Stop vCenter service

2. Look for your ID in LS_ServiceID.prop in folder C:\ProgramData\VMware\VMware VirtualCenter

3. Copy this ID (e.g. {C4672589-9258-42B1-90E2-1EF268BBD402}:5 )

4. Edit your vpxd.cfg in the same folder and replace

<serviceId>vCenterService</serviceId>

with

5. Start vCenter Service

Then the SSL automation tool works!

You don't need to revert the changes.

garfield2013 · ‎05-29-2013

where did you find the solution? try&error?

ksattler · ‎05-29-2013

I had opened a SR.

garfield2013 · ‎05-29-2013

i just tried it and it works..you are my hero

thank you!!!

ryul · ‎05-30-2013

Thanks so much!

This is it!

njcmdrx · ‎09-08-2013

This worked for me. Thanks to they person who posted the correct answer.

ThijsM · ‎12-31-2013

I have the same problem but unfortunatly this didn't fix it for me.

However I do have 2 serviceID's located in the LS_ServiceID.prop one ending on :5 and one ending on :7

Any ideas about this?

Edit:

I got it to work by deleting the :5 in the LS_ServiceID.prop leaving only the :7 in there and then in the vpxd.log replacing the :5 by the :7 and then it finally worked.

Thanks for the person who gave the solution to this problem.

MillardJK · ‎01-15-2014

I've got the same error being thrown on a 5.5 windows-based vCenter. However, I've already validated that the single entry in LS_ServiceID.prop is identical to the entry in vpxd.cfg. Any other suggestions?

——
Jim Millard
Kansas City, MO USA

Roy_Stillwell · ‎02-27-2014

2nd SOLVED. I had the same problem:

Receive the error:

[Thu 02/27/2014 - 15:26:18.43]: Last operation update vCenter Server SSL certificate failed :

[Thu 02/27/2014 - 15:26:18.44]: Cannot reload the vCenter Server SSL certificates. The certificate might not be unique.

But, the LS_ServiceID.prop ID was identical to the entry in vpxd.cfg. (so the posted solution did not work).

This happened because I fat-fingered a password for the SSO admin when updating the vCenter cert.

SOLUTION

It occurred to me that the cert FILENAME is also no longer unique (because I was trying to use the SSLTOOL a second time for the same vCenter cert).

I simply renamed the original rui.key and chain.pem files to rui2.key and chain2.pem, then ran the SSLTOOL with those new names.

SSLTOOL worked like a charm, and all services work in the vCenter.

Win. ^^.

maxel · ‎07-08-2014

Man..this works!! COOL

All

Updating vCenter Server 5.1 SSL certificate - error