Options to check and alert the vcenter certificate expiration

Last week one of our vCenter went down because of the machine certificate got expired and it took some time to find out the issue so I thought it will be helpful to show the options to verify the certificate and make sure to enable the alarm.

Since the certificate as expired most of the services will fail to work properly since it cannot function/use the certificate it is assigned to use.

In our case, we are unable to vMotion because the service to vMotion (vmware-sps) is unable to connect to vpxd due to “server certificate chain not verified.”

Below is the log path to verify .

/var/log/vmware/vmware-sps/sps.log

com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified

Below is the command to verify the Machine certificate.

/usr/lib/vmware-vmafd/bin/vecs-cli entry list –store MACHINE_SSL_CERT –text |less

Solution certificate

/usr/lib/vmware-vmafd/bin/vecs-cli entry list –store machine –text |less

Also we can check the same using the web-browser  .

Using the “ /usr/lib/vmware-vmca/bin/certificate-manager” Replace the certificates on the vCenter via option 3 (just the MACHINE_SSL) or if it is with internal CA then follow the steps here.

So to make the alarm configured for the certificate expiration, already by default 30 days threshold is configured in the vcenter and You can change how soon you are warned with the vpxd.cert.threshold advanced option.

  1. Log in to the vSphere Web Client.
  2. Select the vCenter Server object, the select the Manage tab and the Settings subtab.
  3. Click Advanced Settings, select Edit, and filter for threshold.
  4. Change the setting of vpxd.cert.threshold to the desired value and click OK.

Also make sure under Alarm settings – Certificate Status – Enable this alarm is active so that according to the threshold  we will get the alarm notification when the issue occurred.

Reference :

https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-D3DB7279-0A25-4AA8-83A0-F34E5676A8B9.html

Advertisements
This entry was posted in Certificate, ESX command, Replacing vCenter 6.0 SSL Certificate, Vcenter Appliance, vCSA 6.0, VCSA6.5, VMware, vSphere 6.0 Template. and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s