Error 503 VCSA 6.5, Problema Certificate
Good afternoon colleagues, nice to greet you.
I have a problem with a customer's vCenter. He cannot enter the vsphere web client console, nor does he even reach the interface to authenticate, only the following error appears (See attached image). However, the Vmware Management Appliance console (Port 5480), is active and can authenticate without problems. were carried out: Restart the vm of the VCSA.
Execute service-control -stop-all and start-all commands. Execute service-control --status, indicates that the services are up, there is no service that is pending to start.
Also the datastore where the VCSA is located is almost at the limit of storage.
Validating the error that we are presenting, indicates that it may be a certificate error, however, how can I validate which certificate is expired and thus solve the problem. I understand that the error and renewal of the certificates is solved by the VCSA certificate manager via shh. Additionally, I have the logs of the VM of the VCSA, I share them, I listen to any suggestion they can give me.
Error.PNG
vmware.log
vmware-1.log
I have a problem with a customer's vCenter. He cannot enter the vsphere web client console, nor does he even reach the interface to authenticate, only the following error appears (See attached image). However, the Vmware Management Appliance console (Port 5480), is active and can authenticate without problems. were carried out: Restart the vm of the VCSA.
Execute service-control -stop-all and start-all commands. Execute service-control --status, indicates that the services are up, there is no service that is pending to start.
Also the datastore where the VCSA is located is almost at the limit of storage.
Validating the error that we are presenting, indicates that it may be a certificate error, however, how can I validate which certificate is expired and thus solve the problem. I understand that the error and renewal of the certificates is solved by the VCSA certificate manager via shh. Additionally, I have the logs of the VM of the VCSA, I share them, I listen to any suggestion they can give me.
Error.PNG
vmware.log
vmware-1.log
Recently I saw a similar problem with the STS certificate. The solution was:
1. Check if the STS certificate has expired (https://kb.vmware.com/s/article/79248)
2. If the above is true, apply fixsts.sh (https://kb.vmware.com/s/article/76719)
3. Replace Solution user certificates (option 6) (https://kb.vmware.com/s/article/2097936)
1. Check if the STS certificate has expired (https://kb.vmware.com/s/article/79248)
2. If the above is true, apply fixsts.sh (https://kb.vmware.com/s/article/76719)
3. Replace Solution user certificates (option 6) (https://kb.vmware.com/s/article/2097936)
check the output of below two commands and see if anyof them is expired. If yes replace Machine SSL and Solution user both depending on what is expired.
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | less
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store machine --text | less
As Hello There suggested, please goahead and check sts
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text | less
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store machine --text | less
As Hello There suggested, please goahead and check sts
ASKER
Good afternoon, reviewing the vpxd.log file, it is clearly observed that the SSL certificate expired. According to the KB provided by Andrew Hancock, would you use option 1 to carry out the procedure? Likewise, I share the information where it indicates that the certificate expired.
I remain attentive to your suggestions.
2020-11-14T13:54:07.272Z warning vpxd[7F91FAE6D700] [Originator@6876 sub=Main] Certificate [Subject: C=US,CN=TDV-VC65.toyota.com.ve] from store MACHINE_SSL_CERT will expire on 2020-11-21 02:30:22.000
2020-11-14T13:54:07.275Z warning vpxd[7F91FAE6D700] [Originator@6876 sub=Main] Certificate [Subject: OU=mID-945dd2fb-bdb2-41a2-b822-cedd42b106e8,C=US,DC=local,DC=tdv,CN=machine] from store machine will expire on 2020-11-20 14:21:08.000
2020-11-14T13:54:07.276Z warning vpxd[7F91FAE6D700] [Originator@6876 sub=Main] Certificate [Subject: OU=mID-945dd2fb-bdb2-41a2-b822-cedd42b106e8,C=US,DC=local,DC=tdv,CN=vsphere-webclient] from store vsphere-webclient will expire on 2020-11-20 14:21:09.000
2020-11-14T13:54:07.290Z warning vpxd[7F91FAE6D700] [Originator@6876 sub=Main] Certificate [Subject: OU=mID-945dd2fb-bdb2-41a2-b822-cedd42b106e8,C=US,DC=local,DC=tdv,CN=vpxd] from store vpxd will expire on 2020-11-20 14:21:09.000
2020-11-14T13:54:07.291Z warning vpxd[7F91FAE6D700] [Originator@6876 sub=Main] Certificate [Subject: OU=mID-945dd2fb-bdb2-41a2-b822-cedd42b106e8,C=US,DC=local,DC=tdv,CN=vpxd-extension] from store vpxd-extension will expire on 2020-11-20 14:21:09.000
I remain attentive to your suggestions.
2020-11-14T13:54:07.272Z warning vpxd[7F91FAE6D700] [Originator@6876 sub=Main] Certificate [Subject: C=US,CN=TDV-VC65.toyota.com.ve] from store MACHINE_SSL_CERT will expire on 2020-11-21 02:30:22.000
2020-11-14T13:54:07.275Z warning vpxd[7F91FAE6D700] [Originator@6876 sub=Main] Certificate [Subject: OU=mID-945dd2fb-bdb2-41a2-b822-cedd42b106e8,C=US,DC=local,DC=tdv,CN=machine] from store machine will expire on 2020-11-20 14:21:08.000
2020-11-14T13:54:07.276Z warning vpxd[7F91FAE6D700] [Originator@6876 sub=Main] Certificate [Subject: OU=mID-945dd2fb-bdb2-41a2-b822-cedd42b106e8,C=US,DC=local,DC=tdv,CN=vsphere-webclient] from store vsphere-webclient will expire on 2020-11-20 14:21:09.000
2020-11-14T13:54:07.290Z warning vpxd[7F91FAE6D700] [Originator@6876 sub=Main] Certificate [Subject: OU=mID-945dd2fb-bdb2-41a2-b822-cedd42b106e8,C=US,DC=local,DC=tdv,CN=vpxd] from store vpxd will expire on 2020-11-20 14:21:09.000
2020-11-14T13:54:07.291Z warning vpxd[7F91FAE6D700] [Originator@6876 sub=Main] Certificate [Subject: OU=mID-945dd2fb-bdb2-41a2-b822-cedd42b106e8,C=US,DC=local,DC=tdv,CN=vpxd-extension] from store vpxd-extension will expire on 2020-11-20 14:21:09.000
often when Machine and Solution fail you need to regenerate.
I depends if you want to use your own SSL or just let VMware VCSA create self signed ones.
I depends if you want to use your own SSL or just let VMware VCSA create self signed ones.
ASKER
Would there be any side effects? Did you refer me to a problem at the vCenter level? Would option 1 be the correct one to carry out the solution?
select 8 reset all
but before you do anything Take a snapshot so you can rollback should you need to
but before you do anything Take a snapshot so you can rollback should you need to
Suggest to check the sts as well. that will not be in vpxd..
you can use the option 3 and 6 to replace both.
If its standalone vCenter, take snapshot and if its part of enhanced linked mode
You need to take snapshot of all vCenters and PSCs in shutdown state.. you neeed to revert all in case of issues (This is critical)
thanks,
MS
you can use the option 3 and 6 to replace both.
If its standalone vCenter, take snapshot and if its part of enhanced linked mode
You need to take snapshot of all vCenters and PSCs in shutdown state.. you neeed to revert all in case of issues (This is critical)
thanks,
MS
ASKER
Ok guys, in mind I will follow your respective recommendations and I will indicate the results later.
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Confirmed by VAMI interface ?
see Certificate Manager instructions here at VMware
https://kb.vmware.com/s/article/2097936
the logs we need are vpxd.log located here
/var/log/vmware/
often this issue is certificate related