sachakerres
Contributor
Contributor

MACHINE_CERT expired

Jump to solution

Our certificate is expired

[*] Store : MACHINE_SSL_CERT
Alias : __MACHINE_CERT
Not After : Sep 14 02:02:36 2022 GMT

So I used Certificate Manger, to replace Machine SSL (Option 3).

After username and passwort, I get this output:

Please configure certool.cfg with proper values before proceeding to next step.

Certificate Manager tool do not support vCenter HA systems

=> nothing happend

The log shows:

2022-09-14T14:26:35.185Z INFO certificate-manager Running command : ['/usr/lib/vmware-vmafd/bin/dir-cli', 'service', 'list', '--login', 'Administrator@vsphere.local', '--password', '*****']
2022-09-14T14:26:35.210Z INFO certificate-manager Output :
1. machine-4dddda51-5e78-47df-951a-5ea419749fa1
2. vsphere-webclient-4dddda51-5e78-47df-951a-5ea419749fa1
3. vpxd-4dddda51-5e78-47df-951a-5ea419749fa1
4. vpxd-extension-4dddda51-5e78-47df-951a-5ea419749fa1
5. hvc-4dddda51-5e78-47df-951a-5ea419749fa1
6. wcp-4dddda51-5e78-47df-951a-5ea419749fa1

2022-09-14T14:26:35.210Z INFO certificate-manager Authentication successful
2022-09-14T14:26:35.211Z INFO certificate-manager Running command : ['/usr/lib/vmware-vmafd/bin/dir-cli', 'service', 'list', '--login', 'Administrator@vsphere.local', '--password', '*****']
2022-09-14T14:26:35.229Z INFO certificate-manager Output :
1. machine-4dddda51-5e78-47df-951a-5ea419749fa1
2. vsphere-webclient-4dddda51-5e78-47df-951a-5ea419749fa1
3. vpxd-4dddda51-5e78-47df-951a-5ea419749fa1
4. vpxd-extension-4dddda51-5e78-47df-951a-5ea419749fa1
5. hvc-4dddda51-5e78-47df-951a-5ea419749fa1
6. wcp-4dddda51-5e78-47df-951a-5ea419749fa1

2022-09-14T14:26:35.230Z INFO certificate-manager Running command : ['/usr/lib/vmware-vmafd/bin/vecs-cli', 'store', 'list']
2022-09-14T14:26:35.243Z INFO certificate-manager Output :
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
vpxd
vpxd-extension
hvc
data-encipherment
APPLMGMT_PASSWORD
SMS
wcp
BACKUP_STORE

2022-09-14T14:26:35.244Z INFO certificate-manager Running command :- service-control --start vmafdd
2022-09-14T14:26:35.244Z INFO certificate-manager please see service-control.log for service status
2022-09-14T14:26:35.483Z INFO certificate-manager Command executed successfully
2022-09-14T14:26:35.484Z INFO certificate-manager Running command :- service-control --start vmcad
2022-09-14T14:26:35.484Z INFO certificate-manager please see service-control.log for service status
2022-09-14T14:26:35.750Z INFO certificate-manager Command executed successfully
2022-09-14T14:26:35.750Z INFO certificate-manager Running command :- service-control --start vmdird
2022-09-14T14:26:35.750Z INFO certificate-manager please see service-control.log for service status
2022-09-14T14:26:35.997Z INFO certificate-manager Command executed successfully
2022-09-14T14:26:35.997Z INFO certificate-manager Performing operation on embedded setup using 'localhost' as server
2022-09-14T14:26:35.997Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmafd/bin/vecs-cli', 'entry', 'getcert', '--store', 'MACHINE_SSL_CERT', '--alias', '__MACHINE_CERT', '--output', '/var/tmp/vmware/old_machine_ssl.crt']
2022-09-14T14:26:36.17Z INFO certificate-manager Command output :-

2022-09-14T14:26:36.17Z INFO certificate-manager Command executed successfully
2022-09-14T14:26:36.17Z INFO certificate-manager Selected operation: Replace SSL certificate with VMCA Certificate
2022-09-14T14:26:36.17Z INFO certificate-manager Running command : ['/usr/lib/vmware-vmafd/bin/vmafd-cli', 'get-pnid', '--server-name', 'localhost']
2022-09-14T14:26:36.36Z INFO certificate-manager Output :
vcenter.XXXXXXX.loc

2022-09-14T14:26:36.36Z INFO certificate-manager Running command : ['/usr/lib/vmware-vmafd/bin/vmafd-cli', 'get-machine-id', '--server-name', 'localhost']
2022-09-14T14:26:36.54Z INFO certificate-manager Output :
4dddda51-5e78-47df-951a-5ea419749fa1

2022-09-14T14:26:36.54Z INFO certificate-manager Please configure certool.cfg with proper values before proceeding to next step.
2022-09-14T14:26:36.54Z INFO certificate-manager Certificate Manager tool do not support vCenter HA systems

 

 

0 Kudos
1 Solution

Accepted Solutions
sachakerres
Contributor
Contributor

We rolled back to Version 7.0.1 and used 

https://kb.vmware.com/s/article/76719

this fixed the certificate problem.

We tried to update to 7.0.3, but this failed again. so we stay with 7.0.1....

View solution in original post

0 Kudos
4 Replies
a_p_
Leadership
Leadership

Please verify whether the directory /var/tmp/vmware exists, and create it if it doesn't. Then run the certificate manager again.

André

0 Kudos
sachakerres
Contributor
Contributor

Directory exists and contains files and directories

drwxr-xr-x 3 analytics analytics 4096 Sep 13 2020 analytics
drwxr-xr-x 3 cis-license cis-license 4096 May 4 07:25 cis-license
drwxr-xr-x 3 eam root 4096 Sep 13 2020 eam
-rw------- 1 vmafdd-user lwis 1441 Sep 14 14:44 old_machine_ssl.crt

So, I moved it and rerun manager. No new certificate...

BTW: there is another expired certificate:

[*] Store : wcp
Alias : wcp
Not After : Sep 13 14:00:56 2022 GMT
[*] Store : BACKUP_STORE

 

0 Kudos
sachakerres
Contributor
Contributor

We rolled back to Version 7.0.1 and used 

https://kb.vmware.com/s/article/76719

this fixed the certificate problem.

We tried to update to 7.0.3, but this failed again. so we stay with 7.0.1....

0 Kudos
mikac
Contributor
Contributor

Hi sachakerres,

what was the solution for wcp cert? Can you please share it with us?

I've got vcenter in HA mode as well , rolling back in not an option....

0 Kudos