VMware Update Manager Service won´t start because it still expected a old expired certificate.


I am quiet new to the vmware world and it is my first forum post, so please be patience with me. I hope that i am right here.

Our VMCA root certificate expired in februar. In the beginning we had some troubles but we managed to exchange the machine certificate with a valid certificate. So we could access vSphere Client again without a certificate error message. But we weren´t able to exchange the root certificate it self. 4 months later, i may just stumbled upon the real resaon. I noticed that vCenter Backup hasn´t been running since the old certificate has expired. When i tried to do manual backup, i got the error message that the vmware update manager service isn´t running and it is not possible for me to start this service. After some digging i found out, that the service has a certificate problem and still expect the old expired certificate.

source: /var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log



2021-06-17T09:01:38.717+02:00 error vmware-vum-server[27803] [Originator@6876 sub=vmomi.soapStub[41]] Resetting stub adapter for server <cs p:00007f9ed85723e0,> : service state request failed: N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:
--> PeerThumbprint: BB:67:FD:2B:DF:4F:B2:C1:C3:08:AC:63:C3:80:84:7E:39:11:C0:10
--> ExpectedThumbprint: FD:7F:43:2B:75:87:57:6F:21:2B:EB:0C:B9:66:03:B4:FA:35:2C:B1
--> ExpectedPeerName:
--> The remote host certificate has these problems:
--> * self signed certificate in certificate chain)




I also figured out, that i probably  couldn´t replace the vmca root certificate because this service couldn´t start. I have already tried reset all certificates but it didn´t worked (see below). He replaces all certificates, which are visible to me, with self signed certificate but the vmware update manager service still expect the old root certificate and can not be started.


                 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
                |                                                                     |
                |      *** Welcome to the vSphere 6.7 Certificate Manager  ***        |
                |                                                                     |
                |                   -- Select Operation --                            |
                |                                                                     |
                |      1. Replace Machine SSL certificate with Custom Certificate     |
                |                                                                     |
                |      2. Replace VMCA Root certificate with Custom Signing           |
                |         Certificate and replace all Certificates                    |
                |                                                                     |
                |      3. Replace Machine SSL certificate with VMCA Certificate       |
                |                                                                     |
                |      4. Regenerate a new VMCA Root Certificate and                  |
                |         replace all certificates                                    |
                |                                                                     |
                |      5. Replace Solution user certificates with                     |
                |         Custom Certificate                                          |
                |                                                                     |
                |      6. Replace Solution user certificates with VMCA certificates   |
                |                                                                     |
                |      7. Revert last performed operation by re-publishing old        |
                |         certificates                                                |
                |                                                                     |
                |      8. Reset all Certificates                                      |
                |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 8
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y

Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:administrator@vsphere.local
Enter password:
certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : n
Continue operation : Option[Y/N] ? : y

You are going to reset by regenerating Root Certificate and replace all certificates using VMCA
Continue operation : Option[Y/N] ? : y
Get site nameCompleted [Reset Machine SSL Cert...]
Lookup all services
Get service default-site:c8455d6e-80b9-410e-ab73-d16042239cfb
Don't update service default-site:c8455d6e-80b9-410e-ab73-d16042239cfb
Get service default-site:7298b233-635f-49bb-a44e-b2be9437a334
Don't update service default-site:7298b233-635f-49bb-a44e-b2be9437a334
Get service default-site:4c4c5c87-ec74-4b8e-8abf-4784256cd43e
Don't update service default-site:4c4c5c87-ec74-4b8e-8abf-4784256cd43e
Get service f277f076-82ff-4379-a4cb-d15fa89cb6dd
Don't update service f277f076-82ff-4379-a4cb-d15fa89cb6dd
Get service 6a6a170d-6805-4cec-bbcf-92d4c9b87d74
Don't update service 6a6a170d-6805-4cec-bbcf-92d4c9b87d74
Get service b3ce3c6d-10e0-4ad3-8a10-da898805e637
Don't update service b3ce3c6d-10e0-4ad3-8a10-da898805e637
Get service bdd1471c-6985-49e6-9852-5a05a43e46ba
Don't update service bdd1471c-6985-49e6-9852-5a05a43e46ba
Get service 4a4ef668-20b9-4842-999f-621d958dc82e
Don't update service 4a4ef668-20b9-4842-999f-621d958dc82e
Get service 4f7e13b7-e342-4a09-af56-5aed5155b4b3
Don't update service 4f7e13b7-e342-4a09-af56-5aed5155b4b3
Get service f8611b43-61fd-4e11-9cd8-eb216e3ea882
Don't update service f8611b43-61fd-4e11-9cd8-eb216e3ea882
Get service 798e27cc-8b91-48b2-a9e6-53c368e90b69
Don't update service 798e27cc-8b91-48b2-a9e6-53c368e90b69
Get service e3ef1d1f-977f-453f-a779-40a98f47b178
Don't update service e3ef1d1f-977f-453f-a779-40a98f47b178
Get service 968a60ba-934c-4710-aae2-2f578446b74f
Don't update service 968a60ba-934c-4710-aae2-2f578446b74f
Get service 42e0e537-cc72-42f0-8ff7-77480542222c
Don't update service 42e0e537-cc72-42f0-8ff7-77480542222c
Get service f1783ac3-89ab-405a-a8aa-8e3371858f37
Don't update service f1783ac3-89ab-405a-a8aa-8e3371858f37
Get service 2c6abda2-6240-4fc7-9d71-060189de0b5c
Don't update service 2c6abda2-6240-4fc7-9d71-060189de0b5c
Get service 6f0e5c38-0552-493e-9137-2f3e4b5325d9
Don't update service 6f0e5c38-0552-493e-9137-2f3e4b5325d9
Get service 13e09036-005a-41ba-b82b-c68563cc60f7
Don't update service 13e09036-005a-41ba-b82b-c68563cc60f7
Get service c14bd341-a5bc-4a64-8a13-42f8f59d6157
Don't update service c14bd341-a5bc-4a64-8a13-42f8f59d6157
Get service 4d394c98-ae50-48d0-8297-319077077345
Don't update service 4d394c98-ae50-48d0-8297-319077077345
Get service 85ca95f7-ec40-4cfc-a34b-bc76d9e4c9ff
Don't update service 85ca95f7-ec40-4cfc-a34b-bc76d9e4c9ff
Get service 6370446b-d661-4e64-a03a-fd0a4d7447d4
Don't update service 6370446b-d661-4e64-a03a-fd0a4d7447d4
Get service 0afcc570-6b4d-4c53-a3f9-cb496348057f_com.vmware.vsphere.client
Don't update service 0afcc570-6b4d-4c53-a3f9-cb496348057f_com.vmware.vsphere.client
Get service bfbf5da2-0d1f-4aab-8281-914d2856d2cb
Don't update service bfbf5da2-0d1f-4aab-8281-914d2856d2cb
Get service 0fa7cd9b-ed05-40af-b1a8-eb407f94a84c
Don't update service 0fa7cd9b-ed05-40af-b1a8-eb407f94a84c
Get service 93b641b2-87e8-4082-9ebf-65758789bb41
Don't update service 93b641b2-87e8-4082-9ebf-65758789bb41
Get service 89bd8293-7797-4f56-8fe2-8ec778c165a1
Don't update service 89bd8293-7797-4f56-8fe2-8ec778c165a1
Get service 7bdd2c92-1b4a-42fd-b2c4-0617f077bdf9
Don't update service 7bdd2c92-1b4a-42fd-b2c4-0617f077bdf9
Get service 2499e2ec-7b96-4def-bd97-227bd4e32a22
Don't update service 2499e2ec-7b96-4def-bd97-227bd4e32a22
Get service e689de20-d7bb-48a3-8028-838acfa72130
Don't update service e689de20-d7bb-48a3-8028-838acfa72130
Get service 834aa820-f92b-4bf2-9281-a59eaf9a5887
Don't update service 834aa820-f92b-4bf2-9281-a59eaf9a5887
Get service f6839328-6c76-4b0a-9380-95f3707d7c43
Don't update service f6839328-6c76-4b0a-9380-95f3707d7c43
Get service 4a4ef668-20b9-4842-999f-621d958dc82e_kv
Don't update service 4a4ef668-20b9-4842-999f-621d958dc82e_kv
Get service 0afcc570-6b4d-4c53-a3f9-cb496348057f_com.vmware.vsan.dp
Don't update service 0afcc570-6b4d-4c53-a3f9-cb496348057f_com.vmware.vsan.dp
Get service 4a4ef668-20b9-4842-999f-621d958dc82e_authz
Don't update service 4a4ef668-20b9-4842-999f-621d958dc82e_authz
Get service 0afcc570-6b4d-4c53-a3f9-cb496348057f
Don't update service 0afcc570-6b4d-4c53-a3f9-cb496348057f
Updated 0 service(s)
Status : 60% Completed [Reset vpxd-extension Cert...]
2021-06-17T06:44:51.647Z  Updating certificate for "com.vmware.imagebuilder" extension

Reset status : 85% Completed [starting services...]
Error while starting services, please see service-control log for more details
Status : 0% Completed [Reset operation failed]

please see /var/log/vmware/vmcad/certificate-manager.log for more information.



My main goal is to get this vmware update manager service up and running again. I think this "ExpectedThumbprint" is the key and i need to replace it somehow but i don´t know how. I hope someone has an idear.


We are using VMware vSphere Build 14070654.

Our certificates are coming from our own internal PKI. The Root CA from our PKI is in the trusted root certificates.

Labels (3)
0 Kudos
0 Replies