VCenter 6.7 or 7 certificate expiry leading to 503 service not available error

Home > VMWare platform > VMWare vCenter > vCenter 6.7 or 7 certificate expiry leading to 503 service not available error

If vCenter internal certificates expire we may get 503 service unavailable error or other errors as shown at VMWare KB https://kb.vmware.com/s/article/76719

To solve this use:

1. You can validate whether you have this issue or not via steps explained at https://kb.vmware.com/s/article/79248
   1. Downlooad checksts script from https://kb.vmware.com/sfc/servlet.shepherd/version/download/0685G00000lTiIBQA0
   2. Copy the script to vCenter in /tmp
   3. SSH to vCenter and via shell run

      chsh -s /bin/bash root
      cd /tmp
      python checksts.py

2. Assuming the STS certificates have expired or about to expire soon download fixsts from https://kb.vmware.com/sfc/servlet.shepherd/version/download/0685G00000aZJmkQAG
3. Copy the script to vCenter in /tmp. Dont open and save the script in windows using wordpad/notepad as it may change end-of-line character. That may have to be fixed using either dos2unix or via:

   sed -i -e 's/\r$//' fixsts.sh

4. SSH to vCenter and via shell run

   chsh -s /bin/bash root
   cd /tmp
   chmod +x fixsts.sh
   ./fixsts.sh
   service-control --stop --all && service-control --start --all

5. Check other certificate expiry via:

   for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

Note that instead of using scripts to fixsts we could also use:

/usr/lib/vmware-vmca/bin/certificate-manager

and choose option "8. Reset all certificates". Most things can be left default. Enter correct IP address and FQDN of vCenter when prompted. When prompted with "Continue Operation (Y/N):" enter y to proceed.

Home > VMWare platform > VMWare vCenter > vCenter 6.7 or 7 certificate expiry leading to 503 service not available error