Skip to main content
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products

Dell VxRail: Cannot log in to VCSA with error 500. PSC&VC certs expired and failed to renew.

Summary: Cannot log in to vCenter with the error 500. PSC and vCenter certs have expired and failed to renew.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.

Symptoms

Cannot log in to vCenter with the error 500 SSO. PSC and VC certificates expired and failed to renew.
  • List the certificates in the CLI of the PSC and VCSA with the command: 
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

In this case, the STS and PSC certificates were renewed, and the PSC service was successfully started, but the VCSA certificate failed to be renewed.

Status : 85% Completed [starting services...]
Error while starting services, please see log for more details
Status : 0% Completed [Operation failed, performing automatic rollback]
Rollback Status : 85% Completed [starting services...]
Error while starting services, please see log for more details
Rollback Status : 0% Completed [Rollback operation failed]
Found error in certificate-manager.log
2020-07-07T05:35:07.885Z INFO certificate-manager MACHINE_SSL_CERT certificate replaced successfully. SerialNumber and Thumbprint changed.
2020-07-07T05:35:30.982Z ERROR certificate-manager 'lstool get' failed: 1
2020-07-07T05:35:30.983Z ERROR certificate-manager please see /var/log/vmware/certificate-manager.log for more information.
  • List the certificates in the CLI of VCSA with the command:
root@vcserver [ ~ ]# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --tex t | egrep "Alias|Not After"; done
STORE MACHINE_SSL_CERT
Alias : __MACHINE_CERT
Not After : Jul 7 06:08:54 2022 GMT
STORE TRUSTED_ROOTS
Alias : e0aa985977e68d108d4dd31405fd420f4201380f
Not After : Jun 28 03:40:14 2028 GMT
Alias : 5d349a64d4fe81701f6b821e7518dd116d3dbd2c
Not After : Jul 2 04:50:39 2030 GMT
STORE TRUSTED_ROOT_CRLS
Alias : cc8d6a249fc496029ffff4f6f87219d30bb4ffcc
Alias : 927ba815ca062a8de35ff58667e837bf46b548cc
STORE machine
Alias : machine
Not After : Jul 3 03:44:26 2020 GMT------------- internal solution user certificates not renew
STORE vsphere-webclient
Alias : vsphere-webclient
Not After : Jul 3 03:44:27 2020 GMT-------------internal solution user certificates not renew
STORE vpxd
Alias : vpxd
Not After : Jul 3 03:44:27 2020 GMT--------------internal solution user certificates not renew
STORE vpxd-extension
Alias : vpxd-extension
Not After : Jul 3 03:44:28 2020 GMT------------internal solution user certificates not renew
STORE SMS
Alias : sms_self_signed
Not After : Jul 4 03:59:04 2028 GMT
STORE BACKUP_STORE
Alias : bkp___MACHINE_CERT
Not After : Jul 7 05:48:50 2022 GMT
Alias : bkp_machine
Not After : Jul 3 03:44:26 2020 GMT
Alias : bkp_vsphere-webclient
Not After : Jul 3 03:44:27 2020 GMT
Alias : bkp_vpxd
Not After : Jul 3 03:44:27 2020 GMT
Alias : bkp_vpxd-extension
Not After : Jul 3 03:44:28 2020 GMT

Cause

This issue occurs when there are third-party extensions like nimble storage, veeambackupUI, and so forth with no valid certificates registered to vCenter Server. See VMware article 2150057 This hyperlink is taking you to a website outside of Dell Technologies..

Resolution

See VMware article 215007 This hyperlink is taking you to a website outside of Dell Technologies.. Try to unregister the third-party extensions. If the user cannot access MOB because the certificates have expired, follow VMware article 1025360 This hyperlink is taking you to a website outside of Dell Technologies..

To resolve the issue with the MOB expiration: 
  • Revert the PSC and VCSA snapshots to the backup.
  • Take a new snapshot for PSC and VCSA.
  • Set PSC and VCSA time from NTP to manual.
  • Set the PSC and VCSA time 24 hours before the certificate expires. (advanced setting "vpxd.certmgmt.certs.minutesBefore" is 24 hours by default)
  • Restart PSC and VCSA services, and you can access the VC MOB now.
  • Follow VMware article 1025360 This hyperlink is taking you to a website outside of Dell Technologies. and unregister the nondefault third-party extensions.
  • Renew PSC certificates with certificate-manager option 8. If the vmware-cm service cannot start, follow VMware article 76719This hyperlink is taking you to a website outside of Dell Technologies. to fix the STS certificate, and restart the vmware-cm service.
  • Renew VC certificates with option 8.
  • Set the time to the correct time and restart PSC and VCSA services.

Additional Information

Remember to reimport certificate on VXM. Follow the article VxRail: How to manually import vCenter SSL certificate on VxRail Manager.

Affected Products

VxRail Appliance Series

Products

VxRail Appliance Series
Article Properties
Article Number: 000070683
Article Type: Solution
Last Modified: 24 May 2024
Version:  7
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.