Last week one of our vCenter went down because of the machine certificate got expired and it took some time to find out the issue so I thought it will be helpful to show the options to verify the certificate and make sure to enable the alarm.
Since the certificate was expired most of the services got to fail and it cannot function/use the certificate it is assigned to use.
In our case, we are unable to vMotion because the service to vMotion (vmware-sps) is unable to connect to vpxd due to “server certificate chain not verified.”
Below is the log path to verify .
com.vmware.vim.vmomi.client.exception.SslException: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified
Below is the command to verify the Machine certificate.
/usr/lib/vmware-vmafd/bin/vecs-cli entry list –store MACHINE_SSL_CERT –text |less
/usr/lib/vmware-vmafd/bin/vecs-cli entry list –store machine –text |less
Also we can check the same using the web-browser .
Using the “ /usr/lib/vmware-vmca/bin/certificate-manager” Replace the certificates on the vCenter via option 3 (just the MACHINE_SSL) or if it is with internal CA then follow the steps here.
So to make the alarm configured for the certificate expiration, already by default 30 days threshold is configured in the vcenter and You can change how soon you are warned with the vpxd.cert.threshold advanced option.
- Log in to the vSphere Web Client.
- Select the vCenter Server object, the select the Manage tab and the Settings subtab.
- Click Advanced Settings, select Edit, and filter for threshold.
- Change the setting of vpxd.cert.threshold to the desired value and click OK.
Also make sure under Alarm settings – Certificate Status – Enable this alarm is active so that according to the threshold we will get the alarm notification when the issue occurred.
Pingback: Replacing vCenter 6.0 SSL Certificate. | Techbrainblog