{"id":14643,"date":"2023-07-04T11:39:11","date_gmt":"2023-07-04T08:39:11","guid":{"rendered":"https:\/\/sarzimanli.com\/?p=14643"},"modified":"2023-07-04T23:17:35","modified_gmt":"2023-07-04T20:17:35","slug":"dell-vxrail-expired-cert","status":"publish","type":"post","link":"https:\/\/sarzimanli.com\/index.php\/2023\/07\/04\/dell-vxrail-expired-cert\/","title":{"rendered":"Dell VxRail: Unable to log in to vCenter due to expired certificates"},"content":{"rendered":"\n

Log in to vCenter GUI is not possible. <\/p>\n\n\n\n

If Web GUI is still available, any log in attempt with correct credentials fails.<\/p>\n\n\n\n

\"kA23a0000000BfwCAE_3_0\"\/<\/figure>\n\n\n\n

Restart of VCSA services fails.<\/p>\n\n\n\n

Restart of services does not bring up all services.<\/p>\n\n\n\n

Errors observed:     <\/strong><\/p>\n\n\n\n

\/var\/log\/vmware\/vpxd-svcs\/vpxd-svcs.log:<\/p>\n\n\n\n

2020-06-03T09:31:04.523Z [pool-8-thread-1  INFO  com.vmware.identity.token.impl.X509TrustChainKeySelector  opId=905f6864-c067-4db6-828c-1d59c4b43bf8] Failed to find trusted path to signing certificate <CN=ssoserverSign>
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)<\/p>\n\n\n\n

Cause<\/h4>\n\n\n\n

vCenter certificates are expired.<\/p>\n\n\n\n

VxRail which was initially built prior to 4.7, may have certificates issued with a lifespan of two years from the date of installation. At the time of writing this article, a VxRail build on 4.7.410 has all certificates with a 10 year lifespan.<\/p>\n\n\n\n

Minor version upgrades will not touch the certificates!<\/p>\n\n\n\n

For a VxRail which was initially built on 4.5.210 and later versions, the certificates have a two-year validity period. Check VMware KB article 79248<\/a> to confirm the detailed description.<\/p>\n\n\n\n

Use the view certificate in the browser of the log in page of the VCSA to confirm the certificate has expired or list the certificates in the CLI of the PSC\/VCSA with the command from VMware KB article 76719<\/a>:    <\/p>\n\n\n\n

for i in $(\/usr\/lib\/vmware-vmafd\/bin\/vecs-cli store list); do echo STORE $i; \/usr\/lib\/vmware-vmafd\/bin\/vecs-cli entry list --store $i --text | egrep \"Alias|Not After\"; done<\/pre>\n\n\n\n
Resolution<\/h4>\n\n\n\n
This procedure will generate new self-signed certificates on PSC and VCSA.<\/p>\n\n\n\n
IMPORTANT<\/strong>: This procedure is intended for single PSC\/VCSA VMs which are maintained through VxRail LCM. For HA \/ ELM \/ Customer deployed VCs – please open a VMware ticket!<\/p>\n\n\n\n
IMPORTANT<\/strong>: Take OFFLINE <\/strong>snapshots of VRM, PSC, and VCSA!<\/p>\n\n\n\n
IMPORTANT<\/strong>: Check if the snapshot creating process has finished without errors! Do NOT continue without valid snapshots!<\/strong><\/p>\n\n\n\n
IMPORTANT<\/strong>: If issues encountered, do not retry without reverting to snapshots!<\/p>\n\n\n\n
    \n
  1. Fix PSC:\n