3 Replies Latest reply on May 11, 2020 6:58 AM by msripada

    VCSA 6.7 - Cannot Replace Certificate

    shadragon Lurker

      I successfully created a Let's Encrypt cert for my homelab vcenter server (6.7.0.43000). I installed VCSA  less than a week ago and all else is working correctly.  I uploaded the new cert to the VCSA appliance and ran the built in scripts in certificate manager to install it. However, I hit this error during that process and it rolled back to the original:

       

      Previous MACHINE_SSL_CERT Subject Alternative Name does not match new MACHINE_SSL_CERTIFICATE Subject Alternative Name
      Performing rollback of Machine SSL cert

       

      The hostname of the server (vcenter.mydomain.mycountry) is exactly the same as the cert and the SAN is also identical. I checked the original cert and it also has the same format domain name as the SAN. Everything is correct, old and new, but this keep failing. Rebooted the server a few times, same error.

       

      Also, tried a wildcard cert but got the exact same error. I read VMWare does not like wildcards, fair enough, but I'm not seeing how this is failing.

       

      Posted first on the Let's Encrypt forums and they say the cert and SAN are correct. So where is the obstacle?

       

      Thanks.

       

        • 1. Re: VCSA 6.7 - Cannot Replace Certificate
          msripada Expert
          vExpert

          Can you verify if there is a case sensitivity issue in the SAN field?

           

          VMware Knowledge Base

           

          Also, can you attach the certificate manager log from /var/log/vmware/vmca/certificate-manager.log

           

          thanks,

          MS

          • 2. Re: VCSA 6.7 - Cannot Replace Certificate
            shadragon Lurker

            Good Day,

             

            All domain FQDN's on the host, vcenter and cert were entered lower case. I tried it again last night and during the install, the web client came up as valid with the new certificate then was lost during the roll back. So whatever the issue, the cert isn't it.

             

            Here's the services I'm running.

             

            Stopped:

            vmcam vmware-imagebuilder vmware-mbcs vmware-netdumper vmware-postgres-archiver vmware-rbd-watchdog vmware-vcha vsan-dps

            Running:

            applmgmt lwsmd pschealth vmafdd vmcad vmdird vmdnsd vmonapi vmware-analytics vmware-certificatemanagement vmware-cis-license vmware-cm vmware-content-library vmware-eam vmware-perfcharts vmware-pod vmware-rhttpproxy vmware-sca vmware-sps vmware-statsmonitor vmware-sts-idmd vmware-stsd vmware-topologysvc vmware-updatemgr vmware-vapi-endpoint vmware-vmon vmware-vpostgres vmware-vpxd vmware-vpxd-svcs vmware-vsan-health vmware-vsm vsphere-client vsphere-ui

             

            Here's the certificate-manager.log section. Underlined section is where I think the error is. It's the only error in the log.

             

            2020-05-07T23:18:02.473Z INFO certificate-manager Running command : ['s', 'e', 'r', 'v', 'i', 'c', 'e', '-', 'c', 'o', 'n', 't', 'r', 'o', 'l', ' ', '-', '-', 's', 't', 'o', 'p', ' ', '-', '-', 'i', 'g', 'n', 'o', 'r', 'e', ' ', ' ', '-', '-', 'a', 'l', 'l', ' ', '-', '-', 'v', 'm', 'o', 'n', '-', 'p', 'r', 'o', 'f', 'i', 'l', 'e', ' ', 'A', 'L', '*****']

            2020-05-07T23:18:02.473Z INFO certificate-manager please see service-control.log for service status

            2020-05-07T23:18:25.883Z INFO certificate-manager Command executed successfully

            2020-05-07T23:18:25.883Z INFO certificate-manager all services stopped successfully.

            2020-05-07T23:18:25.883Z INFO certificate-manager None

            2020-05-07T23:18:35.893Z INFO certificate-manager Running command :- service-control --start  --all

            2020-05-07T23:18:35.894Z INFO certificate-manager please see service-control.log for service status

            Service-control failed. Error: Failed to start services in profile ALL. RC=2, stderr=Failed to start vpxd services. Error: Service crashed while starting

             

            2020-05-07T23:24:07.606Z ERROR certificate-manager None

            2020-05-07T23:24:07.606Z ERROR certificate-manager Error while starting services, please see service-control log for more details

            2020-05-07T23:24:07.607Z ERROR certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.

            2020-05-07T23:24:07.607Z ERROR certificate-manager {

                "resolution": null,

                "detail": [

                    {

                        "localized": "An error occurred while invoking external command : 'None'",

                        "translatable": "An error occurred while invoking external command : '%(0)s'",

                        "args": [

                            "None"

                        ],

                        "id": "install.ciscommon.command.errinvoke"

                    },

                    "Error while starting services, please see service-control log for more details"

                ],

                "problemId": null,

                "componentKey": null

            }

            2020-05-07T23:24:07.609Z INFO certificate-manager Performing rollback of Machine SSL Cert...

            2020-05-07T23:24:07.609Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmafd/bin/vecs-cli', 'entry', 'getkey', '--store', 'BACKUP_STORE', '--alias', 'bkp___MACHINE_CERT', '--output', '/storage/certmanager/rollback/MACHINE_SSL_CERT_bkp.priv']

            2020-05-07T23:24:07.619Z INFO certificate-manager Command output :-

            • 3. Re: VCSA 6.7 - Cannot Replace Certificate
              msripada Expert
              vExpert

              Looks like vpxd service crashed. Could you check the old vpxd log (may be one number lesser to highest number) in the log under /var/log/vmware/vpxd

               

              or upload the last 5 logs (highest number) to the link

               

              thanks,

              MS