vCenter appliance machine cert expired
One of our customers has had insufficient vCenter monitoring and ran into the issue that his machine certificate inside the vCenter appliance is expired and so some of the services has stopped working. One of the services is the web-ui, so you can no longer log into the vCenter. Login to vCenter appliance management port 5480 with root is still possible!
To check the vCenter appliance certificate, we need to login with ssh and run the command
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo “[*] Store :” $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store $store –text | grep -ie “Alias” -ie “Not After”;done;
Now we can see all the certificates installed. We can already see here that the _MACHINE_CERT is expired.
So we need to replace that expired certficate. This can be done with the embedded certificate manager. Make sure to take a snapshot or backup of the appliance before you make any changes.
You can also follow the VMware KB 2097936 or keep on reading π
start certficiate-manager
/usr/lib/vmware-vmca/bin/certificate-manager
Select option 3 to replace the machine cert. You need to provide the SSO user credentials to kick of the process. Make sure you provide at least the correct hostname as FQDN and the VMCA name. If they are wrong, your services will not be able to start.
After the process has completed, all services will be started. If all information is correct this process succeed. You can check the replaced certificate again with the command.
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo “[*] Store :” $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store $store –text | grep -ie “Alias” -ie “Not After”;done;
Now we can see that the certificate is valid until 13th of March 2025.
We are back in the game. You can login again to the vCenter Web UI.