Lookup service fails with the certificate error for external VMware solution like NSX Manager,VMware vCenter Site Recovery Manager, VMware vSphere Replication or vSheild Manager.

Some solutions, such as VMware vCenter Site Recovery Manager, VMware vSphere Replication, or vSheild Manager are always installed on a different machine than the associated vCenter Server system or Platform Services Controller that manages the certificates for the solution.

If you replace the Machine SSL certificate of a vCenter Server system or a Platform Services Controller in an environment with an External Platform Services Controller, a connection error results when the solution attempts to connect to the vCenter Server. The reason is that the vCenter Server and the Platform Services Controller use the new certificate, but the corresponding service registrations with the VMware Lookup Service are not updated. When solutions connect to vCenter Server or Platform Services Controller, they look at the service registration, which includes the service URL and the sslTrust string. By default, the sslTrust string is the Base 64 encoded old certificate even if you have replaced the certificate successfully.

VMware has fixed the issue in the latest update VCSA U1b pr U2  so  if we have already updated the machine certificate with the older version then you may face issue while connecting the NSX Manager\Vsphere Replciation ( VR ) to the lookup service with the below error.

newed
To fix the issue we need to follow the KB 2121701 and in case we already changed the machine certificate with the older version ( VCSA 6.0 \ U1a ) and updated the appliance with the latest U1b\ U2 code still we need to follow the manual steps in the  KB to fix the issue.
notesced
So if we want to change the machine certificate then first make sure to upgrade the VCSA ( PSC\VC ) to the latest VMware update ( U1b or U2 )  to avoid the extra work and you can check my other blog on the steps involved to replacing the certificate where I highlighted the changes also.

We can notice the below extra output while importing the certificate with the U1b \ U2 update.

new1cert
ced
Reference :
Advertisements
This entry was posted in Certificate, High-Availability, Replacing vCenter 6.0 SSL Certificate, vCSA 6.0, VMware, vShield, vSphere Replication VR and tagged , , , , , , , , . Bookmark the permalink.

One Response to Lookup service fails with the certificate error for external VMware solution like NSX Manager,VMware vCenter Site Recovery Manager, VMware vSphere Replication or vSheild Manager.

  1. Pingback: Replacing vCenter 6.0 SSL Certificate. | Techbrainblog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s