idatb
Contributor
Contributor

"Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT."

Im trying to deploy a new machine SSL with VCenter 6.5 from a public CA. Ive spent 3 days with multiple failures. This being the latest. Ive followed every vmware instructional video and guides for 5.5 and 6.0 but we cannot deploy a Public CA SSL cert so far. it gets to 10% and kicks an error message. Ive tried every variation of certs. We get issued a CA-Bundle, and p7b and a crt file. We cannot figure out what vcenter certificate manager is wanting from these certs. Ha any one else faced this issue?

2017-01-13T15:10:04.706Z ERROR certificate-manager

2017-01-13T15:10:04.707Z ERROR certificate-manager Error while replacing Machine SSL Cert, please see C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log for more information.

2017-01-13T15:10:04.707Z ERROR certificate-manager {

    "resolution": null,

    "detail": [

        {

            "args": [

                ""

            ],

            "id": "install.ciscommon.command.errinvoke",

            "localized": "An error occurred while invoking external command : ''",

            "translatable": "An error occurred while invoking external command : '%(0)s'"

        },

        "Error in creating a new entry for __MACHINE_CERT in VECS Store MACHINE_SSL_CERT."

    ],

    "componentKey": null,

    "problemId": null

0 Kudos
7 Replies
Prophecy_Networ
Contributor
Contributor

Hi

We are having the same issue. Did you ever manage to find a solution?

Mike

0 Kudos
cwm08
Contributor
Contributor

I am having the exact same problem with our new 6.5a VCSA. Wondering if anyone has any updates.

0 Kudos
just70
Contributor
Contributor

I have the same issue. I'm using the server appliance version 6.5.0.5200 with an external PSC.

0 Kudos
just70
Contributor
Contributor

I figured out the cause of my error. I was using the wrong key file. You have to use the KEY file that corresponds with the CSR file that gets turned into the CRT file. Hopefully this helps.

0 Kudos
krneki
Contributor
Contributor

I fixed it. 

for me the issue was copy/paste of certificates into the shell. 

Once I enabled the appliance to support winSCP and uploaded the certificates the issue was solved.

0 Kudos
djmoose
Contributor
Contributor

I had the same problem. Turns out the person who created the CSR for the VCSA entered in the VCSA fqdn when the tool asked:

Performing operation on distributed setup, Please provide valid Infrastructure Server IP.

Server :

(make sure you put your PSC's FQDN here)

Hope this helps...and you would only see this if you have an external PSC.

0 Kudos
jernigan
Contributor
Contributor

I got this exact error and finally managed to fix it.

In short it was the order of my cert / intermediates / root  in the main certificate file.

I followed the instructions here: VMware Knowledge Base

And made sure to follow the prerequisite mentioned: VMware Knowledge Base

I'm using the VCSA linux appliance, v 6.5, and  /usr/lib/vmware-vmca/bin/certificate-manager to install the certs.

I copy/pasted the certificates through a terminal rather than figuring out how to get SCP / SFTP to transfer the files.  There were no issues there.

My CA provider is InCommon, and they give a few options for downloading the x509 formatted certificates:

* X509 Base64 (THIS HAD TO BE MODIFIED, and was used when asked in the certificate-manager tool  "Please provide valid custom certificate for Machine SSL.". InCommon gave me {Intermediates / Root / Certificate} in a single file, but VCSA wanted {Certificate / Intermediates / Root}, so I did some copy/pasting to fix it)

* X509 Certificate Only (I only used this to learn which text block was the certificate itself in the previous cert file)

* X.509 Intermediates/Root (used this to publish to the VMware Endpoint Certificate Store as instructed in VMware Knowledge Base  and also when asked "Please provide the signing certificate of the Machine SSL certificate" in the certificate-manager tool)

* X.509 Root/Intermediates (I only used this to compare to the {Intermediates/Root} file to see which text snippet was the Root itself. I needed to make a new text file with JUST the Root CA so that I could publish it according to the instructions mentioned above in VMware Knowledge Base  article)

Once it all processed, I refreshed the web interfaces to VCenter and it was using my custom cert.

I lost a LOT of time screwing around with all of this : (

I really hope this is helpful to someone else.

0 Kudos