VMware Cloud Community
M-JR
Contributor
Contributor

vCenter Certificate Status alarm for CSR

Hello - 

I've got a vCenter server that is throwing a Certificate Status Alarm, and its specifically alarming about a CSR not a cert expiring.

I ran the following command to list all of the certs:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

There are no certs expired.

The cert that the alarm is complaining about isn't actually a cert - its a CSR

MJR_1-1691697427566.png

MJR_2-1691697864410.png

 

Any ideas how to remove the CSR without borking the whole thing? Or even better, any ideas how to make the alarm only trigger for expiring certs and not CSR's?

Its really not hurtning anything, just driving me nuts that its there.

I have 100% validated that its the CSR - if I reset the alarm to green, it will come back. If I generate a new CSR, it will not alert until the next day when that CSR expires.

0 Kudos
3 Replies
Sachchidanand
Expert
Expert

Have you generatd the CSR and not updated the certificate with respect to that CSR?

In this case, just replace the certificate.

Regards,

Sachchidanand

0 Kudos
M-JR
Contributor
Contributor

I haven't generated a new cert from the CSR that I created a couple of days ago because the current cert doesnt expire for a while.

 

But - thats not the issue. The only reason I created a new CSR a couple of days ago was to test if the alarm would go away if I did that (it did). It was alarming from the original CSR that I did generate the cert from that was still there, then when I created a new CSR, the alarm cleared for a day (how long the CSR was good for), and then came back.

So generating a new cert from that CSR isnt going to change the fact that the CSR is expired, and that the alarm is still going to trigger off of that CSR instead of off of the cert.

0 Kudos
Sachchidanand
Expert
Expert

If you generate a csr, vcenter expect that you update the cert in respect to that csr. It donen't matter how many times you generate it. Don't generate another csr to check if alarm will go for the previous csr, instead generate the self certificate to get rid of the alarms you are geting for csr/cert.

Regards,

Sachchidanand

0 Kudos