VMware Cloud Community
clevelas
Enthusiast
Enthusiast
‎02-03-2019 12:44 AM
Jump to solution

Replacing expired cert on vCenter appliance with

I've gotten myself into a bit of a pickle.  I let my vCenter server (appliance) certificate expire.  When I ran the certificate manager script and gave it the new certificate, it failed.  I had an old extension it didn't like.  I got a "ERROR certificate-manager 'lstool get' failed: 1".  There is a KB that describes it:

VMware Knowledge Base

In my case, it's an old Emulex extension I played with once and apparently didn't clean up.  The solution for that is to remove it at https://vcenter.fqdn/mob.

Unfortunately, before I found that solution, I tried a reboot as it hadn't been restarted in some time.  That caused vpxd to not start.  Complaining about an expired certificate.  So now the /mob directory just gives a 503 Service Unavailable error. 

So I'm stuck in a loop.  I can't update the certificate until i remove the extension.  I can't remove the extension until I replace the certificate. 

I'm hoping there's a command line method to remove the extension.  But I have been unable to find any information except through the GUI or /mob.  Please tell me someone has a solution for this?

I've opened a case on the issue, but we apparently only have basic support on vCenter (another thing to address later), so I'm not expecting a call back until Monday.

- Steve

1 Solution

Accepted Solutions
clevelas
Enthusiast
Enthusiast
‎02-03-2019 09:51 AM
Jump to solution

I just have straight vSphere with a couple of addins (Dell Storage and Avamar).  I considered reinstalling, but I have quite a few servers and I think we could survive the weekend until I heard back from VMware Support.

In the meantime, I found a solution.  Looking at the vpxd log, it mentioned the path to ssl certificate it was using.   /etc/vmware-vpx/ssl/rui.{crt,key}.  They appeared to be the old certificate in the same format I was familiar with.  So I replaced them.  I then did a search for rui.key (ran updatedb, then 'locate rui.key').  It found /etc/vmware-rhttpproxy/ssl as well.  So I replaced that.  I then rebooted (I think vpxd was complaining about the certificate on a service it was connecting to).  After the reboot, vpxd started!  So I was able to get to /dom and remove the bad extension.  After that I could run certificate-manager successfully. 

View solution in original post

2 Replies
IRIX201110141
Champion
Champion
‎02-03-2019 01:44 AM
Jump to solution

Do you have a "large" environment or Horizon, NSX, vSAN , vDS in use together with your vCenter?  If not why not just deplay a new fresh vCenter and add the Hosts again?

Otherwise... did you try to modify the date in the VCSA and bring it back in time to get vpxd starting?

Regards,

Joerg

0 Kudos
clevelas
Enthusiast
Enthusiast
‎02-03-2019 09:51 AM
Jump to solution

I just have straight vSphere with a couple of addins (Dell Storage and Avamar).  I considered reinstalling, but I have quite a few servers and I think we could survive the weekend until I heard back from VMware Support.

In the meantime, I found a solution.  Looking at the vpxd log, it mentioned the path to ssl certificate it was using.   /etc/vmware-vpx/ssl/rui.{crt,key}.  They appeared to be the old certificate in the same format I was familiar with.  So I replaced them.  I then did a search for rui.key (ran updatedb, then 'locate rui.key').  It found /etc/vmware-rhttpproxy/ssl as well.  So I replaced that.  I then rebooted (I think vpxd was complaining about the certificate on a service it was connecting to).  After the reboot, vpxd started!  So I was able to get to /dom and remove the bad extension.  After that I could run certificate-manager successfully.