VCenter 6.7 or 7 certificate expiry leading to 503 service not available error
From Notes_Wiki
Revision as of 05:41, 11 June 2023 by Saurabh (talk | contribs) (Created page with "Home > VMWare platform > VMWare vCenter > vCenter 6.7 or 7 certificate expiry leading to 503 service not available error If vCenter internal certificates expire we may get 503 service unavailable error or other errors as shown at VMWare KB https://kb.vmware.com/s/article/76719 To solve this use: # You can validate whether you have this issue or not via steps explained at https://kb.vmware.com/s/article/79248 ## Downlooad checksts script from...")
Home > VMWare platform > VMWare vCenter > vCenter 6.7 or 7 certificate expiry leading to 503 service not available error
If vCenter internal certificates expire we may get 503 service unavailable error or other errors as shown at VMWare KB https://kb.vmware.com/s/article/76719
To solve this use:
- You can validate whether you have this issue or not via steps explained at https://kb.vmware.com/s/article/79248
- Downlooad checksts script from https://kb.vmware.com/sfc/servlet.shepherd/version/download/0685G00000lTiIBQA0
- Copy the script to vCenter in /tmp
- SSH to vCenter and via shell run
chsh -s /bin/bash root cd /tmp python checksts.py
- Assuming the STS certificates have expired or about to expire soon download fixsts from https://kb.vmware.com/sfc/servlet.shepherd/version/download/0685G00000aZJmkQAG
- Copy the script to vCenter in /tmp. Dont open and save the script in windows using wordpad/notepad as it may change end-of-line character. That may have to be fixed using either dos2unix or via:
- sed -i -e 's/\r$//' fixsts.sh
- SSH to vCenter and via shell run
chsh -s /bin/bash root cd /tmp chmod +x fixsts.sh ./fixsts.sh service-control --stop --all && service-control --start --all
- Check other certificate expiry via:
- for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
Note that instead of using scripts to fixsts we could also use:
/usr/lib/vmware-vmca/bin/certificate-manager
and choose option "8. Reset all certificates". Most things can be left default. Enter correct IP address and FQDN of vCenter when prompted. When prompted with "Continue Operation (Y/N):" enter y to proceed.
Home > VMWare platform > VMWare vCenter > vCenter 6.7 or 7 certificate expiry leading to 503 service not available error