VMware Cloud Community
Techn9ne81x
Contributor
Contributor
‎12-07-2021 07:48 AM

vSphere SSL Certificate update issues

Hello, i'm new here and my system is a closed network system so I can't share logs and things from that system so i'll just have to explain my issues as best I can in the hopes of getting help. I am using vsphere 6.5~ and my vsphere client has issues auto-migrating and powering stuff on(restarts work).

I updated SSL certs on my system as a whole before they expired, but the initial update process went wrong and my certificates expired. I ran the certificate manager tool through an ssh login. Initially I used options 1 and 1 to create a certificate request and then 1 and 2 to use that created certificate to update my system. This seemingly went fine until a few weeks later the certs expired because the cert chain I created to use had a special character at the end and it didn't actually take properly. I then used certificate-manager again to use option 8 to reset all my certificate back to self-signed certificates, cleaned out all certificates and unpublished them, and then went back through the original method of option 1 and 2 with a proper chain cert to get back to good domain certs. During this process I noticed that my certificate said it updated 0 services and that this seemed odd to me, but it said it completed normally other than that and looking at the certificate manager log it seems like nothing went wrong.

This worked in that I could now login with domain credentials and I can perform migrations and things like that, but it turns out I have other issues. DRS/HA can no longer auto-migrate without it getting stuck at 13% and vsphere client can't tell machines to power on without them getting stuck at 0%. I discussed this with in-house support are we are leaning towards certificates likely being this issue and the updated 0 services thing is still sticking out as an issue to me because I have two systems and the other one definitely said it updated 27~ services and is working fine when they both had the same initial issue of certs expiring.

Since this issue began I have tried multiple certificate-manager resets and even though it is creating new self-signed certs every time it never says that it updates any services. Is this the problem I think it is, or could my issue be elsewhere? We are also sort of learning towards a corrupted vsphere-client.

I'm sorry I don't have screenshots since my system is closed network, but I will try answer any questions if I can about what certain logs say and things like that. thank you for any assistance in this matter.

0 Kudos
1 Reply
bryanvaneeden
Hot Shot
Hot Shot
‎12-07-2021 12:46 PM

Hi @Techn9ne81x,

Not 100% sure what the issue is here. But at first if as you say even with all self-signed certificates there are issues I am wondering the following:

  • Did you by any chance reboot the vCenter lately? Most of the time certificate issues rise up when vCenter Servers are rebooted since ALL services get restarted/started.
  • I've had multiple issues before with STS certificates not being correct or not working, please have a look at https://kb.vmware.com/s/article/79248.. There might also be some interesting topics on my blog (vcloudvision.com). Like I said, I've had multiple issues with certificates on multiple vCenters in the years.

But yes as far as I know you are correct that the certificate-manager tool should replace certificates. If it says no services have been updated you might need to check the logs in: /var/log/vmware/vmcad/certificate-manager.log. This should definitely show you what is being done to the system.

Visit my blog at https://vcloudvision.com!
0 Kudos