Highlighted
Enthusiast
Enthusiast

Replacing expired the Lookup Service SSL certificate on a Platform Services Controller 6.0

Good afternoon. We have a problem like this one: https://virtuallyunderstood.wordpress.com/2016/08/03/troubleshooting-expired-psc-certificates-with-v...  After upgrading vcenter from version 5.5 to 6.0 and then to 6.0U3, we encountered a problem that affects the expired certificate of the PSC on port 7444. As far as I know, since version 6.0, PSC uses port 433, and port 7444 is left to manage vcenter 5.5 versions. I found just such an article, which describes an almost similar situation, although our PSC starts and works, but only on port 7444 there is an old certificate, because of this NSX-V does not connect to the lookup service on ports 433 and 7444. The question is necessary for us to carry out point 9 of this instruction, since we have vCenter 6.0. https://kb.vmware.com/s/article/2118939#WinVC  I'm confused.

1.PNG

2.PNG

 I also found an article in which it is proposed to replace the expired certificate from the PSC on port 7444 with a machine certificate by simple copying, but our vCenter does not have the store STS_INTERNAL_SSL_CERT, https://kb.vmware.com/s/article/68155  this option would certainly be preferable, who can help please?

All our stores:

MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vpxd
vpxd-extension
vsphere-webclient
SMS
0 Kudos
4 Replies
Highlighted
VMware Employee
VMware Employee

@vilkasimov 
Moderator: Moved to vCenter Server Discussions

0 Kudos
Highlighted
Commander
Commander

Hey @vilkasimov,

Take a look at the next post that will help you understand: https://virtuallyunderstood.wordpress.com/2016/08/03/troubleshooting-expired-psc-certificates-with-v...

Basically since vSphere 6 the Lookup Service Certificate is presented by the RHTTP Proxy service on port 443, however it is still uses the port 7444 for backward compatibility with vCenter Server 5.5 as it could be used externally while doing an upgrade or you could have more than one.

Follow the KB you found exactly and it will help you fix your issue, and for NSX-V you will need to update the URL to 443 and not use lookup service anymore as it could work now but for example in version 6.5 it does not anymore.

0 Kudos
Highlighted
Enthusiast
Enthusiast

Hey @Lalegre .

Thank you for your reply. Well, if I follow the steps of KB https://kb.vmware.com/s/article/2118939#WinVC , then I have a question, after the 9th point in which the ssoserver certificate is replaced, the 10th point is described in which they ask to update the certificate also to the vcenter for the lookup service, if it is version 5.5. We already have version 6.0 U3 installed. I understand correctly that we need to skip this 10 point and follow the 11 point, in which we need to restart the PSC services? 🤔

3.PNG

0 Kudos
Highlighted
Commander
Commander

That is right!

0 Kudos