Recently I had to change the default certificates of a newly installed vCenter. Nothing unusal with that, if not for the fact that I didn’t think about vCenter HA that I configured before getting the certs. If only I had read that little piece of advice from VMware…
If you want to use custom certificates, you have to remove the vCenter HA configuration, delete the Passive and Witness nodes, provision the Active node with the custom certificate, and reconfigure the cluster.
Anyway, I didn’t read it. I replaced the certificates with the PSC web gui and SSH’d to my VCSA to restart the services (more info here).
When I tried to start the services after stopping them it would not work and I was greeted by the following output:
root@srv-vcenter [ ~ ]# service-control --start vmafdd Perform start operation. vmon_profile=None, svc_names=['vmafdd'], include_coreossvcs=False, Include_leafossvcs=False 2018-04-11T10:00:19.720Z Running command: ['/usr/bin/systemctl', 'is-enabled', u'vmafdd'] 2018-04-11T10:00:19.723Z Done running command Service vmafdd startup type is not automatic. Skip
It is actually easy to fix:
- Destroy the vCenter HA configuration
root@srv-vcenter [ ~ ]# destroy-vcha -f
Reboot the node
Delete the passive node and the witness VMs
Recreate the vCenter HA
It failed the first time for me but it worked the second time. It might be some leftover configuration…
Bottom line: If you actually use vCenter HA (should you?), read this carefully before changing anything in vCenter !
It’s a major mood killer but some actions need VCHA to be destroyed, the nodes deleted, cloned again, bladibla.