Hello,
When applying a certificate using our Microsoft CA (I followed the VMware article/video on how to create a certiifcate template) to our vCenter (Windows) server, it fails and rolls back. The issue I'm getting is the same as the following discussion posted a few months back. However, there's no fix provided:certificate-manager 'lstool reregister' failed: 1 / VCSA Certificate Manager Option 1: Replace Machi...
The error in the log:
2017-10-19T00:26:19.474Z ERROR certificate-manager Error while replacing Machine SSL Cert, please see C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log for more information.
2017-10-19T00:26:19.474Z ERROR certificate-manager 'lstool reregister' failed: 1
2017-10-19T00:26:19.476Z INFO certificate-manager Performing rollback of Machine SSL Cert...
Is there an actual fix to this that can be made available instead of me having to call VMware support?
Thanks!
Check if this is relevant to your issue. ERROR certificate-manager 'lstool get' failed: 1 (2150057) | VMware KB
I found that link already, but clicking on it takes me to a page saying the document is not available.
This is what it's saying...
Thanks.
This is what I get:
You are going to replace Machine SSL cert using custom cert
Continue operation : Option[Y/N] ? : Y
Get site nameCompleted [Replacing Machine SSL Cert...]
default-first-site
Lookup all services
Get service default-first-site:cf187289-fe8f-4334-8d69-1217a9cca96b
Update service default-first-site:cf187289-fe8f-4334-8d69-1217a9cca96b; spec: c:
\users\username\appdata\local\temp\svcspec_j4n77e
Status : 0% Completed [Operation failed, performing automatic rollback]
Error while replacing Machine SSL Cert, please see C:\ProgramData\VMware\vCenter
Server\logs\vmca\certificate-manager.log for more information.
Performing rollback of Machine SSL Cert...
Get site nameus : 0% Completed [Rollback Machine SSL Cert...]
default-first-site
Lookup all services
Get service default-first-site:cf187289-fe8f-4334-8d69-1217a9cca96b
Don't update service default-first-site:cf187289-fe8f-4334-8d69-1217a9cca96b
Get service default-first-site:51b61283-1edf-4db8-a8e9-a2120729a78e
I'm not aware of any extensions...
Upload file certificate-manager.log here. Also make sure you have taken snapshot of vCenter and backup of DB before making these changes.
As you can see in logs : "Error while publishing cert using dir-cli."
Try to do it manually and check what is the result.
/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/ssl/chain.crt
That works. The root certificate is "published successfully".
Do I do something similar with the custom certificate and key next?
Yes, check if its showing any error.
I needed to add administrator@vsphere.local to the Administrators group after adding the sso account to that group I didn't get the lstool reregister error anymore.
Thanks a lot AschrafCommunity -- that solved this for me. In this particular vCenter's case our "local" domain has a non-standard name (i.e., it's not "vsphere.local") which makes me wonder if that has anything to do with the local SSO administrator account no longer being a member of the group. Either way, after adding the local SSO admin (back?) to the local Administrators group, I was able to replace the machine SSL certificate.
I don't have a web interface running. How do I add a user to a group by cli? I tried it: "dir-cli group modify --name administrators" it didn't help.