"ERROR certificate-manager 'lstool get-site-id' failed: 1", Certificate Replacement with Custom Certificate Fails on vCenter Server 6.x

search cancel

"ERROR certificate-manager 'lstool get-site-id' failed: 1", Certificate Replacement with Custom Certificate Fails on vCenter Server 6.x

book

Article ID: 344262

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:

Certificate Replacement with Custom Certificates fails on vCenter Server 6.x with lstool get-site-id failed error message
Certificate Manager log shows similar to below messages

2016-04-11T17:05:12.2Z ERROR certificate-manager Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.
2016-04-11T17:05:12.3Z ERROR certificate-manager 'lstool get-site-id' failed: 1
2016-04-11T17:05:12.3Z INFO certificate-manager Performing rollback of Machine SSL Cert...

Log location:
VCSA - /var/log/vmware/vmcad/certificate-manager.log
Windows vCenter Server - %ProgramData%\VMware\vCenterServer\logs\vmca\certificate-manager.log

Environment

VMware vCenter Server 6.5.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server 7.0.x

Cause

This issue can happen while trying to replace Machine SSL of vCenter Server 6.x using Custom Certificate with an unsupported Signature Algorithm RSASSA-PSS

Resolution

To resolve the issue follow the steps below:

Regenerate the Certificate with a Supported Signature Algorithm (Eg. SHA256) and proceed with certificate replacement to fix the issue.
- Refer to Article Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate to replace the Machine SSL Certificate

Additional Information

Refer to VMware Doc Certificate Requirements for Different Solution Paths for more information on unsupported signature algorithms

Feedback

thumb_up Yes

thumb_down No