Re: Applying custom certificate in vSphere 6.5 usi...

joesvirtus · ‎10-18-2017

Hello,

When applying a certificate using our Microsoft CA (I followed the VMware article/video on how to create a certiifcate template) to our vCenter (Windows) server, it fails and rolls back. The issue I'm getting is the same as the following discussion posted a few months back. However, there's no fix provided:certificate-manager 'lstool reregister' failed: 1 / VCSA Certificate Manager Option 1: Replace Machi...

The error in the log:

2017-10-19T00:26:19.474Z ERROR certificate-manager Error while replacing Machine SSL Cert, please see C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log for more information.

2017-10-19T00:26:19.474Z ERROR certificate-manager 'lstool reregister' failed: 1

2017-10-19T00:26:19.476Z INFO certificate-manager Performing rollback of Machine SSL Cert...

Is there an actual fix to this that can be made available instead of me having to call VMware support?

Thanks!

vijayrana968 · ‎10-18-2017

Check if this is relevant to your issue. ERROR certificate-manager 'lstool get' failed: 1 (2150057) | VMware KB

joesvirtus · ‎10-18-2017

I found that link already, but clicking on it takes me to a page saying the document is not available.

vijayrana968 · ‎10-18-2017

This is what it's saying...

joesvirtus · ‎10-18-2017

Thanks.

This is what I get:

You are going to replace Machine SSL cert using custom cert

Continue operation : Option[Y/N] ? : Y

Get site nameCompleted [Replacing Machine SSL Cert...]

default-first-site

Lookup all services

Get service default-first-site:cf187289-fe8f-4334-8d69-1217a9cca96b

Update service default-first-site:cf187289-fe8f-4334-8d69-1217a9cca96b; spec: c:

\users\username\appdata\local\temp\svcspec_j4n77e

Status : 0% Completed [Operation failed, performing automatic rollback]

Error while replacing Machine SSL Cert, please see C:\ProgramData\VMware\vCenter

Server\logs\vmca\certificate-manager.log for more information.

Performing rollback of Machine SSL Cert...

Get site nameus : 0% Completed [Rollback Machine SSL Cert...]

default-first-site

Lookup all services

Get service default-first-site:cf187289-fe8f-4334-8d69-1217a9cca96b

Don't update service default-first-site:cf187289-fe8f-4334-8d69-1217a9cca96b

Get service default-first-site:51b61283-1edf-4db8-a8e9-a2120729a78e

I'm not aware of any extensions...

vijayrana968 · ‎10-18-2017

Upload file certificate-manager.log here. Also make sure you have taken snapshot of vCenter and backup of DB before making these changes.

joesvirtus · ‎10-18-2017

I have attached the log. Thanks for your help, it's much appreciated!

vijayrana968 · ‎10-18-2017

As you can see in logs : "Error while publishing cert using dir-cli."

Try to do it manually and check what is the result.

/usr/lib/vmware-vmafd/bin/dir-cli trustedcert publish --cert /root/ssl/chain.crt

joesvirtus · ‎10-18-2017

That works. The root certificate is "published successfully".

Do I do something similar with the custom certificate and key next?

vijayrana968 · ‎10-18-2017

Yes, check if its showing any error.

AchrafCommunity · ‎03-23-2020

I needed to add administrator@vsphere.local to the Administrators group after adding the sso account to that group I didn't get the lstool reregister error anymore.

lmaxfield · ‎08-20-2020

Thanks a lot AschrafCommunity -- that solved this for me. In this particular vCenter's case our "local" domain has a non-standard name (i.e., it's not "vsphere.local") which makes me wonder if that has anything to do with the local SSO administrator account no longer being a member of the group. Either way, after adding the local SSO admin (back?) to the local Administrators group, I was able to replace the machine SSL certificate.

Gosinform · ‎10-29-2020

I don't have a web interface running. How do I add a user to a group by cli? I tried it: "dir-cli group modify --name administrators" it didn't help.

All

Applying custom certificate in vSphere 6.5 using Microsoft CA template fails and rolls back