Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
Upgrading to vCenter Server 6.5 fails with the error:An error occurred while starting 'vmonapi' Failed to start VMware Service lifecycle Manager API Service. In the vMon.log (Windows vCenter Server) or vmon-syslog.log (vCenter Server Appliance), there are messages that pertain to a mismatch with the hostnames and/or IP address in the SSO Certificate warning vmon Service vmonapi pre-start command's stderr: Failed to start vmonapi service. Exception : hostname u'HOSTNAME' doesn't match 'VCENTER_IP'Note: The vMon.log log file is found in the VMware-VCS-logs-<year><month><day><hour><minute><second>.zip file created on on the vCenter Server after a failed upgrade. The vmon-syslog.log file will be located in /var/log/vmware/vmon of the failed appliance.
This happens when the Primary Network ID (PNID) is not present in the Subject Alternative Name (SAN) field of the SSL certificates that vmonapi downloads from Single Sign-On. The PNID is the FQDN or IP address used during the install in vCenter 6.x.
This issue is resolved in vCenter server 6.5 Patch 1, available at VMware Downloads. To resolve this when migrating from vCenter Server 6.0 to vCenter Server 6.5:vCenter Server 6.0To resolve this when upgrading from vCenter 6.0, ensure the FQDN and IP is present in the SAN field of the SSO Lookup Service certificate. To replace the Lookup Service certificate in vCenter Server 6.5, see Replacing the Lookup Service SSL certificate on a Platform Services Controller 6.0 (2118939) To resolve this when upgrading from vCenter Server 5.5, ensure the FQDN and IP is present in the SAN field of the Single Sign-On Certificate in vCenter Server 5.5. vCenter Server 5.5 for Windows Regenerating self-signed certificates in vCenter Server5.5 for Windows can be accomplished during re-installation and ensuring the FQDN is used during the installation wizard instead of the IP address. Another option is to update the certificates manually before upgrade. See Deploying and using the SSL Certificate Automation Tool 5.5 (2057340) for instructions on using the SSL automation tool to accomplish this. To re-generate a new default SSO Certificate, use the following steps. If using CA Signed Certificates, follow the process as per Implementing CA signed SSL certificates with vSphere 5.x (2034833): Backup the ssoserver* files from C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf. Open an elevated command prompt and run this command to create a temporary directory to store files during generation:mkdir C:\ssl Using a text editor, create a file C:\ssl\certool.cfg file using the below template and provide the custom details pertaining to your environment and save the file. Make sure that the commonName and SubjectAltName both contain the PNID (FQDN) notepad C:\ssl\certool.cfg Using the following template as an example.Note: The values that will usually differ are subjectAltName and the entries under Run this command to generate a new certificate request and private key for the Lookup Service: "C:\Program Files\VMware\CIS\openSSL\openssl.exe" req -new -nodes -out C:\ssl\ssoserver.csr -newkey rsa:2048 -keyout C:\ssl\ssoserver.key -config C:\ssl\certool.cfg Run this command to generate a new certificate for the Lookup Service using the previously generated private key and certool.cfg file: "C:\Program Files\VMware\CIS\openSSL\openssl.exe" x509 -req -days 3650 -sha256 -in C:\ssl\ssoserver.csr -out C:\ssl\ssoserver.crt -CA "C:\ProgramData\VMware\CIS\data\vmca\root.cer" -CAkey "C:\ProgramData\VMware\CIS\data\vmca\privatekey.pem" -extensions v3_req -CAcreateserial -extfile C:\ssl\certool.cfg Run this command to generate a .p12 file consisting of both the ssoserver.cer and ssoserver.key file: "C:\Program Files\VMware\CIS\openSSL\openssl.exe" pkcs12 -export -in C:\ssl\ssoserver.crt -inkey C:\ssl\ssoserver.key -name "ssoserver" -passout pass:changeme -out C:\ssl\ssoserver.p12Note: Do not modify the -passout value. This must remain as changeme. Run this command to backup the existing ssoserver.p12 file: copy "C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12" "C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12.backup" Run this command to replace the old ssoserver.p12 with the newly generated ssoserver.p12 file: copy "C:\ssl\ssoserver.p12" "C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12" Stop the SSO Services in this order: VMware Secure Token ServiceVMware Identity Management ServiceVMware Kdc ServiceVMware Directory ServiceVMware Certificate Service Start the SSO Services in this order: VMware Certificate ServiceVMware Directory ServiceVMware Kdc ServiceVMware Identity Management ServiceVMware Secure Token Service Restart the vCenter Server services in this order:Restart the VMware vCenter Inventory Service Restart the VMware VirtualCenter ServerRestart the VMware VirtualCenter Management WebservicesRestart the VMware vSphere Profile-Driven Storage ServiceRestart the VMware vSphere Web ClientRestart the VMware Log Browser vCenter Server Appliance 5.5 To regenerate self-signed certificates on the vCenter Server Appliance 5.5, see Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5 (2070603). vCenter Server 6.0 To resolve this when upgrading from vCenter 6.0, ensure the FQDN and IP is present in the SAN field of the SSO Lookup Service certificate. To replace the Lookup Service certificate in vCenter Server 6.0, see Replacing the Lookup Service SSL certificate on a Platform Services Controller 6.0 (2118939).
Implementing CA signed SSL certificates with vSphere 5.xDeploying and using the SSL Certificate Automation Tool 5.5Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5Replacing the Lookup Service SSL certificate on a Platform Services Controller 6.0