Loading...
Loading...
Scenario 1: The vCenter certificate is already expired. Unable to log in to vCenter UI. Any log-in attempt when the Web UI is available fails even with correct credentials. Restart of vCenter Server Appliance (VCSA) services fails. Restart of services does not bring up all services. Errors observed: /var/log/vmware/vpxd-svcs/vpxd-svcs.log: 2020-06-03T09:31:04.523Z [pool-8-thread-1 INFO com.vmware.identity.token.impl.X509TrustChainKeySelector opId=905f6864-c067-4db6-828c-1d59c4b43bf8] Failed to find trusted path to signing certificate <CN=ssoserverSign> sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) Scenario 2: The vCenter certificate expires in less than 60 days. (For VxRail 7.0.480 and above versions) Log in to vCenter UI is completed but VxRail 7.0.480 and later versions show a Warning in VxRail Cluster > Configure > VxRail > Certificate > All Trust Store Certificates page stating that the certificate expires in less than 60 days.
vCenter certificates are expired or expiring soon.
For either Scenario Follow these steps using the vCert tool to reset all certificates on vCenter to VMCA signed certificates. Note: This procedure is intended for single PSC or VCSA VMs which are maintained through VxRail LifeCycle Manager (LCM). For HA, ELM, or Customer deployed VCSAs, open a VMware ticket! Note: Take OFFLINE snapshots of VxRail Manager (VRM) and VCSA! Note: Check if the snapshot creating process has finished without errors! Do NOT continue without valid snapshots! Note: If issues are encountered, do not retry without reverting to snapshots! Download the vCert tool from VMware: vCert - Scripted vCenter Expired Certificate Replacement Upload the .zip file to vCenter using WinSCP or similar. In this example, we uploaded it to the /tmp directory SSH to vCenter using root credentials and unzip the file using the extract command (The filename will change based on the version): cd /tmp unzip vCert-6.0.0-20250218.zip Enter the vCert directory and start the script: cd vCert-6.0.0-20250218 ./vCert.py At the menu, enter option 6 for: Reset all certificates with VMCA-signed certificates VCF/VVF Certificate Management Utility (version 6.0.0) ----------------------------------------------------------------- 1. Check current certificate status 2. View certificate info 3. Manage certificates 4. Manage SSL trust anchors 5. Check configurations 6. Reset all certificates with VMCA-signed certificates 7. ESXi certificate operations 8. Restart services 9. Generate certificate report E. ExitSelect an option [1]: 6 The "Certificate Signing Request Information" can be left as default (with the exception of the 'additional hostnames for SAN entries') or updated with company and or environment information. Note: The 'additional hostnames for SAN entries' refers to the Subject Alt Hostname (SAN) and should be populated with the hostname+FQDN of the vCenter server. Certificate Signing Request Information ----------------------------------------------------------------- Enter the country code [US]: Enter the Organization name [VMware]: Enter the Organizational Unit name [VMware Engineering]: Enter the state [California]: Enter the locality (city) name [Palo Alto]: Enter the IP address (optional): Enter an email address (optional): Enter any additional hostnames for SAN entries (comma separated value): The script resets the vCenter certificates. Once complete, follow Dell VxRail: How to Manually Import vCenter SSL Certificate on VxRail Manager to import the certificates into the VxRail Manager trust store.
Click on a version to see all relevant bugs
Dell Integration
Learn more about where this data comes from
BugZero Plan
Streamline upgrades with automated vendor bug scrubs
BugZero Prevent
Wish you caught this bug sooner? Get proactive today.