LearnerUser's Posts

I inherited a server running ESXi managed by VCentre with literally no documentation. Within weeks the certificates expired. Earlier this week I updated the STS certificate using https://kb.vmware.com/s/article/76719. After this I used certificate-manager as per https://kb.vmware.com/s/article/2097936 using option 8. Now vapi-endpoint won't start. Looking at endpoint.log I can see that it fails on SoapBindingImp - log extract below. For some reason it is trying to talk to VCSA-01.something.somethingelse when the name of the VCSA instance is VCSA-01a.something.somethingelse. In the updated certificates I used the value O=VCSA-01a.something.somethingelse. I assume this is something to do with the new certificates though I cannot find anything online which matches vapi-endpoint failing on SoapBindingImp online. Any thoughts on what the issue might be? _______________ EDIT - I have also included a list of stopped services in case that gives a clue. Also, vmware-vpxd-svcs fails with the same error. This time it is looking for the name VCSA-01a.something.somethingelse. _______________ vapi-endpoint Log extract: 2021-12-09T16:36:16.039Z | INFO | state-manager1 | DefaultStateManager | Invoking http-server 2021-12-09T16:36:16.040Z | INFO | state-manager1 | BaseServerBuilder | Creating endpoint with name 'default' on address(es): 127.0.0.1, ::1 with port: 12346 2021-12-09T16:36:16.057Z | INFO | state-manager1 | DefaultJettyServer | Logging initialized @4087ms to com.vmware.vapi.endpoint.http.DefaultJettyServer$JettyLogWrapper 2021-12-09T16:36:16.134Z | WARN | state-manager1 | BaseServerBuilder | Failed to bind /0:0:0:0:0:0:0:1:12346 while testing the endpoint validity java.net.SocketException: Protocol family unavailable ... 2021-12-09T16:36:16.136Z | WARN | state-manager1 | BaseServerBuilder | Hostname ::1 was found to be invalid and removed from the configuration 2021-12-09T16:36:16.305Z | INFO | state-manager1 | BaseServerBuilder | Starting endpoint with name 'default' on address(es): 127.0.0.1, ::1 with port: 12346 2021-12-09T16:36:16.360Z | INFO | state-manager1 | DefaultJettyServer | Starting jetty server. 2021-12-09T16:36:16.431Z | INFO | state-manager1 | BaseServerBuilder | Started endpoint with name 'default' on address(es): 127.0.0.1, ::1 with port: 12346. 2021-12-09T16:36:16.431Z | INFO | state-manager1 | DefaultStateManager | Invoking cis-sso-settings-builder 2021-12-09T16:36:16.747Z | INFO | state-manager1 | CertificateUtil | Creating anonymous SSO Admin Client for URI https://VCSA-01.something.somethingelse/sso-adminserver/sdk/vsphere.local 2021-12-09T16:36:17.017Z | INFO | state-manager1 | DefaultStateManager | Invoking sts-builder 2021-12-09T16:36:17.776Z | ERROR | state-manager1 | SoapBindingImpl | Error communicating to the remote server https://VCSA-01.something.somethingelse/sts/STSService/vsphere.local com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching VCSA-01.something.somethingelse found. at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(HttpClientTransport.java:117)    vmware-vpxd-svcs Log extract: 2021-12-10T11:55:49.834Z [main ERROR com.vmware.vim.sso.client.impl.SoapBindingImpl opId=] Error communicating to the remote server https://VCSA-01a.something.somethingelse/sts/STSService/vsphere.local com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching VCSA-01a.something.somethingelse found.   Stopped Services: vmcam vmware-content-library vmware-imagebuilder vmware-mbcs vmware-netdumper vmware-rbd-watchdog vmware-sca vmware-sps vmware-updatemgr vmware-vapi-endpoint vmware-vcha vmware-vpxd vmware-vpxd-svcs vmware-vsan-health vsan-dps

I have inherited a server running ESXi 6.7.0. ESXi hosts a VM running VMware Photon OS which hosts a VCSA instance. This VCSA instance manages the ESXi host. I think the STS certificates have become invalid. How can I confirm this and how can I fix this? Can I do this fix (https://kb.vmware.com/s/article/76719) in ESXi? Background: 1. When I enter the hostname into a browser without stating the port it takes me to a page with the title, "VMware® vSphere". When I attempt to log in I get the error message "User name and password are required". If I make a typo I get the invalid credentials error which tells me that the credentials are correct otherwise. 2. When I enter the hostname and specify port 5480 it takes me to a page with the title, "VMware Appliance Management". When I attempt to log in I get the error message "Exception in invoking authentication handler [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:719)". 3. Reading up on the error message it sounds like it is generated by Python when SSL certificates being used are invalid. I think this means that the certificates used for my VCSA instance are no longer valid.  4. ESXi has a certificate under Security and Users > Certificates. There is also a message saying, "This host's certificates are being managed by vCenter Server, you cannot configure them using the Host Client."