Certificate regeneration fails with the error code: 382312514 after migrating the vCenter Server 6.0 from an Embedded PSC to External PSC
Article ID: 324827
Updated On:
Products
VMware vCenter Server
Issue/Introduction
Symptoms:
After migrating vCenter Server 6.0 from an Embedded Platform Services Controller (PSC) to External Platform Services Controller, you experience these symptoms:
After migrating vCenter Server 6.0 from an Embedded Platform Services Controller (PSC) to External Platform Services Controller, you experience these symptoms:
- You are unable to regenerate SSL certificates for the Machine SSL or the Solution Users on the vCenter Server.
- In the certificate-manager utility, you observe:
Error: 382312514, VMCAGetSignedCertificatePrivate() failedStatus : Failed
Error Code : 382312514Error Message : Failed to connect to the remote host, reason = rpc_s_connect_rejected (0x16c9a042).Status : 0% Completed [Operation failed, performing automatic rollback]
- In the certificate-manager.log (located at: /var/log/vmware/vmcad/ or C:\ProgramData\VMware\vCenterServer\logs\vmca\) file, you see entries similar to:
YYYY-DD-MMT<time>Z INFO certificate-manager Running command :- ['/usr/lib/vmware-vmca/bin/certool', '--server=localhost', '--gencert', '--privkey=/storage/certmanager/MACHINE_SSL_CERT.priv', '--cert=/storage/certmanager/MACHINE_SSL_CERT.crt', '--config=/var/tmp/vmware/certool.cfg']</time>
YYYY-DD-MMT<time>Z INFO certificate-manager Command output :-</time>
Using config file : /var/tmp/vmware/certool.cfg
Error: 382312514, VMCAGetSignedCertificatePrivate() failedStatus : Failed
Error Code : 382312514
Error Message : Failed to connect to the remote host, reason = rpc_s_connect_rejected (0x16c9a042).
YYYY-DD-MMT<time>Z ERROR certificate-manager Using config file : /var/tmp/vmware/certool.cfg</time>
Error: 382312514, VMCAGetSignedCertificatePrivate() failedStatus : Failed
Error Code : 382312514
Error Message : Failed to connect to the remote host, reason = rpc_s_connect_rejected (0x16c9a042)
Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.0.x
Cause
This issue occurs because vCenter Server still contains the decommissioned VMCA's Root certificate, causing the certificate-manager utility to believe it is still an embedded node.
Resolution
This issue is resolved in VMware vCenter Server 6.0 Update 3, available at VMware Downloads.
To work around this issue if you do not want to upgrade, rename the old root.cer from the decommissioned VMCA on the vCenter Server that was promoted to an external Platform Services Controller:
To work around this issue if you do not want to upgrade, rename the old root.cer from the decommissioned VMCA on the vCenter Server that was promoted to an external Platform Services Controller:
For the vCenter Server Appliance:
- Connect to the vCenter Server Appliance with an SSH session.
- Provide the root user user name and password when prompted.
- Run this command to enable the Bash shell:
shell.set --enable True
- Run this command to access the Bash shell:
shell
- Run this command to rename the current root.cer to root.bkp:
mv /var/lib/vmware/vmca/root.cer /var/lib/vmware/vmca/root.bkp
- Attempt the certificate regeneration process.
For the vCenter Server for Windows:
- Remote desktop into the Windows server.
- Open a elevated command prompt.
- Run this command to rename the current root.cer to root.bkp:
ren C:\ProgramData\VMware\vCenterServer\data\vmca\root.cer root.bak
- Attempt the certificate regeneration process.
Additional Information
Feedback
Yes
No
Powered by
