Tuesday, May 2, 2023

Signing certificate is not valid" error in VCSA 6.5.x,6.7.x or vCenter Server 7.0.x

 In an environment with a vCenter Server Appliance (VCSA) 6.5.x, 6.7.x or vCenter Server 7.0.x, you experience these symptoms:

·         The vmware-vpxd service fails to start.

·         Logging in to the vSphere Client fails with the error:

HTTP Status 400 – Bad Request Message BadRequest, Signing certificate is not valid

 

To resolve the Signing certificate is not valid error:

1.       Download the attached fixsts.sh script from this article and upload to the impacted PSC or vCenter Server with Embedded PSC to the /tmp folder.

2.       If the connection to upload to the vCenter by the SCP client is rejected, run this from an SSH session to the vCenter:

# chsh -s /bin/bash

3.       Connect to the PSC or vCenter Server with an SSH session if you have not already per Step 2.

4.       Navigate to the /tmp directory:

# cd /tmp

5.       make the file executable:

# chmod +x fixsts.sh

6.       Run the script:

# ./fixsts.sh

7.       Restart services on all vCenters and/or PSCs in your SSO domain by using below commands:

8. # service-control --stop --all && service-control --start --all


Note: Restart of services will fail if there are other expired certificates like Machine SSL or Solution User. Proceed with the next step to identify and replace expired certificates.

The following one-liner can determine other expired certificates for the vCenter Server Appliance:  

·         for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

if above does not work.

 

run below command from vcenter shell mode.

 

/usr/lib/vmware-vmca/bin/certificate-manager

 

choose 8 and reset all certificate.


No comments: