beefy147
Enthusiast
Enthusiast

vCenter 6.0 U1 - Replace machine SSL certificate, VMware Component Manager service fails to start

I have installed an external PSC (6.0 U1) and have attempted to replace the machine SSL certificate with a custom certificate from our CA

I have tried using both the certificate-manager CLI and the new GUI based replacement

Both times the certificates were accepted but when services were restarted the VMware Component Manager service hangs and fails to restart

I am using windows and not the appliance

has anyone else experienced this?

componentmanager.PNG

Tags (2)
9 Replies
beefy147
Enthusiast
Enthusiast

I have continued to troubleshoot this problem. the certificate-manager rolls back the certificate replacement after a period without the service being able to start

The signed certificate was submitted and returned as expected and is in date, with correct PSC FQDN and within a certificate chain (root, subordinate, issuing)

the root64.cer contains this chain, yet the service still refuses to start

I am going to log a SR with vmware but wondering if any others have experienced this and if its unique to update 1

I may try installing the non update PSC to see if that works

beefy147
Enthusiast
Enthusiast

I am trying to replace the PSC certificate prior to installing vCenter server but get the impression this might be where I am going wrong and it isn't supported until vCenter is installed

can anyone confirm?

turbopork
Contributor
Contributor

Anyone? Anyone? this reminds me of Ferris.  Save Ferris

0 Kudos
beefy147
Enthusiast
Enthusiast

componentmanager1.PNG

I have tried this 6 times today, using various KB's, guides and videos provided by VMware with no success. any help much appreciated

0 Kudos
beefy147
Enthusiast
Enthusiast

I installed vCenter and still have the issue (both PSC and vCenter are windows 2012 r2 installs)

I have now logged a SR with VMware as guess from the lack of replies its just me! Smiley Sad

0 Kudos
noone01
Contributor
Contributor

On VMworld 2015 there was a conference INF4529 - VMware Certificate Management for Mere Mortals. And there was some information about one caveat: 24 Hours Rule (at 44:38). As I can understand, signing certificate must have a valid date of 24 hours prior before renewing host certificates  or adding new hosts for vCenter. So, if you just issued certificate from your enterprise CA for VMware CA, you need to wait for 24 hours before issuing certificates for hosts.

Maybe, that is you case.

0 Kudos
beefy147
Enthusiast
Enthusiast

Thanks for the reply. I am not using the VMCA and applying certs the old way directly from our MS CA due to our internal restrictions

however there it is certainly worth me trying again tomorrow morning when 24hrs have gone past. seems a bit weird for a normal certificate.

I can see the logic if the VMCA is set as a subordinate as the trusted certificate will need time to push to all the computers in AD (hence 24hr recommendation) to be considered trusted. However thats not what i am doing.

Will still try it tho!

The only other thing I can think of is that we are using SHA-1 certificates, while I appreciate this isn't recommended, it doesn't say its not supported and we don't have a choice until we refresh our PKI setup next year

cheers

0 Kudos
admarshall
Contributor
Contributor

I had the same problem trying to import commercial certificates but this solved it for me.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=211157...

DanyDemers
Enthusiast
Enthusiast

Thanks admarshall, I had the same issue the vmware component manager service was not starting while trying to replace solution certificate with our own CA signed cert and this solved my problem.

0 Kudos