The other day I had to replace the machine SSL certificate on a vCenter Server Appliance 6.5. Since vCenter 6.0 the process of replacing a certificate has been greatly simplified, the certificate-manager script basically takes care of everything which is really nice.
However, this time I encountered an error when replacing the certificate. Everything was going smoothly until the moment where the script threw an error and started a roolback.
“2019-04-01T09:38:53.83Z certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.”
So I looked into the certificate-manager.log logfile and found the following line:
“2019-04-01T09:38:53.83Z ERROR certificate-manager ‘lstool get’ failed: 1”
I have no idea what this means so I googled it and ended up on KB2150057. The outcome of this KB is that this error occurs when there are third party extensions installed on the vCenter.
“This issue occurs when there are third party extensions like nimble storage and veeambackupUI etc. with no valid certificates and failed to get the information for the service ID.”
Sure enough there was an old Simplivity extension installed on the server that had been used at some point for a proof of concept but was no longer needed. I found the procedure to remove the extension in an HPE documentation (they bought the company in 2017), which I performed on the appliance.
cd /opt/SimpliVity/SimpliVityExtensionForVSphereClient-10.23.8/ ./uninstall Y service-control --stop vsphere-ui vsphere-client cd /etc/vmware/vsphere-client/vc-packages/vsphere-client-serenity rm -r com.simplivity.web-client-10.23.8 cd /etc/vmware/vsphere-ui/vc-packages/vsphere-client-serenity rm -r com.simplivity.web-client-10.23.8 service-control --start vsphere-ui vsphere-client
I kept getting the same error after this so I proceeded to the Resolution section of the KB with KB1025360 and unregistered the extension from the MOB (Managed Object Browser).
- Browse to http://vCenter_Server_name_or_IP/mob
- Click on Content.
- Click on ExtensionManager.
- Expand the list of properties and locate the extensions to remove. Here there are 3 Simplivity extensions being displayed. Copy the part in double quotes.
- Click on UnregisterExtension.
- Paste the string you copied without the double quotes in the string field and click Invoke Method.
- Refresh the page and verify that the line is no longer in the list of properties.
- Repeat these steps for all the extensions that need unregistered.
After I finished this task the certificate replacement completed successfully.