vSphere 8.0.2 SSL Cert Expire and Update Issue

Mindwatering Incorporated

Author: Tripp W Black

Created: 03/31 at 10:51 PM



SSL Cert expiration or recertification blocks vSphere VCSA 8.0 U2.

If the certificate is NOT expired:
If re-certification, run the Certificate Manager in the UI
vcsa.mindwatering.net/ui --> Menu (3 lines in corner) --> Administration --> Certificates (heading) --> Certificate Management

If the expiration was missed:
We have to fix via SSH, as the site HTST will block login.
1. $ ssh root@vcsa.mindwatering.net
<enter password>

2. Start command shell:
Command> shell

3. Run the command-line certificate-manager:
root@vcsa [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager

4. Regenerate a new VMCA Root Certificate and |
| replace all certificates
Option[1 to 8]: _
Enter 4 and click <enter>

At the prompt:
Do you wish to generate all certificates using configuration file : Option[Y/N] ? :
Answer Y, and click <enter>

Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Click <enter> for default admin account.

Enter the password:
<enter password>

At the prompt, we want to keep it simple and just re-use the existing configuration information. To do so:
certool.cfg file exists, Do you wish to reconfigure : Option[Y/N]
Enter N, and click <enter>

At the final confirmation prompt, choose to continue:
You are going to regenerate Root Certificate and all other certificates using VMCA
Continue operation : Option[Y/N] ? :
Answer Y, and click <enter>


After new certifications are created/imported, or expiration is fixed, the VPXD will be broken. The appliance VPXD needs to be fixed. This bug is an "expected behavior". VMware has article 94934 to remediate the behavior/bug.

Error Message: Pre-upgrade check result
Source vSphere ESX Agent Manager (EAM) upgrade failed to obtain EAM URLs to check against trusted certificates by the System!
Verify that the ESX Agent Manager extension is running properly on the source vCenter Server instance and https://VC_IP/eam/mob presents correct data. If log in to the MOB is not successful, try resolving the issue with kb.vmware.com/s/article/94934.

Fix the VPXD via:
1. Download fixcerts:

2. $ ssh root@vcsa.mindwatering.net
<enter password>

3. Start command shell:
Command> shell

4. Create empty file on the server, and copy and paste the content from the local file to the remote file:
(Alternately, we can SSH via FileZilla.)
root@vcsa [ ~ ]# pwd
root@vcsa [ ~ ]# touch fixcerts.py
root@vcsa [ ~ ]# vi fixcerts.py
<copy and paste the contents of the downloaded file into this file on the server>
root@vcsa [ ~ ]# chmod 770 fixcerts.py

5. Run the file:
root@vcsa [ ~ ]# python fixcerts.py update --ExtensionType all
Updated the Thumbprint of VPXD Extensions -> Total Execution Time ## 43 seconds ##

previous page