VMware Cloud Community
KarimMasoud
Contributor
Contributor
‎11-10-2022 03:01 PM

I Can't access VCenter webconsole, SSL certificate verification failed.

i have problem related to my Vcenter server

1- if i try to access web console using IP i get the following error: "no healthy upstream"
2-if i try to access web console using FQDN i got the following error: "[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server - An error occurred when processing the metadata during vCenter Single Sign-On setup - Failed to connect to VMware Lookup Service https://vcenter.domain.local:443/lookupservice/sdk - SSL certificate verification failed."
3- But i can access vCenter Server Management page normally (VCenterIP:5480)
4- also the ssh access is not working every time i enable it, it goes to disable again

I'm afraid that something is corrupted, please i need your support
Version: 7.0.1.00100
Build Number: 17004997

Reply
0 Kudos
5 Replies
Lara69
Contributor
Contributor
‎11-10-2022 10:54 PM

I appreciate the information and advice you have shared. I will try to figure it out for more.
My Avalon Access

Reply
0 Kudos
Mortendb
Contributor
Contributor
‎11-12-2022 10:31 AM

Hi

Have you tried as follows

Logon to vCenter console (the WebConsole / Remote Console)

Press F2 to login to vCenter
Go to "Thouble Shooting"
Enable BASH Shell
Press ALT-F3

Now login as root
Type "shell" to get a root console
Use the certificate tool to reset certificates
To start it just type "/usr/lib/vmware-vmca/bin/certificate-manager"

And follow to reset certificate
https://kb.vmware.com/s/article/2097936

PS You need to access vCenter trough the ESXi host its running on if its not on another vCenter.

Tags (4)
Reply
0 Kudos
KarimMasoud
Contributor
Contributor
‎11-14-2022 07:59 AM

@Mortendb thanks for your reply

i tried both 4 and 7 options on the shared article  https://kb.vmware.com/s/article/2097936 

but with no luck it gives error, should i use option 8 "Reset all certificates" ? and what may be the impact?

actually, I'm not experienced on VCenter, and really not sure what i should do 

Reply
0 Kudos
KarimMasoud
Contributor
Contributor
‎11-14-2022 08:02 AM

@Lara69  thanks for your reply

let me know if there any steps to follow?

Reply
0 Kudos
Alex_Romeo
Leadership
Leadership
‎11-14-2022 09:43 AM

Hi,

Check the status of services:  service-control --status --all

surely there are these two services stopped: "vmware-vpxd-svcs" and "vmware-vapi-endpoint".

First of all we check with the following command if and which vCenter certificates are expired, run this command:

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

 

If there are no expired certificates, we also check the STS (Security Token Service).

To check if the STS certificate is expired, follow the kb: https://kb.vmware.com/s/article/79248

If the STS certificate has expired, please follow this kb: https://kb.vmware.com/s/article/76719

let us know

regard,

Alex_Romeo

 

 

 

 

 

 

Blog: https://www.aleadmin.it/
Reply
0 Kudos