"Signing certificate is not valid" error in vCenter Server 6.5.x and 6.7.x on Windows
Article ID: 338889
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article provides steps on regenerating and replacing expired Security Token Service (STS) certificate in VMware vCenter Server 6.5.x, 6.7.x installed on Windows using a PowerShell script.
For steps on regenerating and replacing expired Security Token Service (STS) certificate in VMware VCSA 6.5.x, 6.7.x and vCenter Server 7.0.x using a shell script, see "Signing certificate is not valid" error in VCSA 6.5.x/6.7.x and vCenter Server 7.0.x (76719).
Symptoms:
In an environment with a vCenter Server 6.5.x and 6.7.x installed on Windows, you experience these symptoms:
- VMware VirtualCenter Server service fails to start.
- Logging in through the Web client displays errors similar to:
HTTP Status 400 – Bad Request Message BadRequest, Signing certificate is not valid
- Logging in through the Web client displays errors similar to:
503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x00007fb444041040] _serverNamespace = / action = Allow _pipeName =/var/run/vmware/vpxd-webserver-pipe)
- Logging in through the Web Client displays a message similar to:
User name and password are required
- Replacing any certificate on either PSC or VCSA fails.
- Adding, modifying or deleting registrations from the Lookup Service manually using the lsdoctor tool fails.
- Deploying a new PSC and doing a cross domain repoint fails.
- Deploying a new PSC as a replication partner on the existing SSO domain fails.
- Logging in through the Web client displays errors similar to:
Cannot connect to vCenter Single Sign-On server https://VC_FQDN/sts/STSService/vsphere.local
OR
Cannot connect to vCenter Single Sign-On server https://VC_FQDN:7444/sts/STSService/vsphere.local
OR
[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server
OR
Cannot connect to vCenter Single Sign-On server https://VC_FQDN:7444/sts/STSService/vsphere.local
OR
[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server
Environment
VMware vCenter Server 6.7.x
VMware vCenter Server 6.5.x
VMware vCenter Server 6.5.x
Cause
These issue occurs when the Security Token Service (STS) certificate has expired. This causes internal services and solution users to not be able to acquire valid tokens and as a result fails to function as expected.
Note: When the STS certificate expires, it does so without warning. On some systems, this expiry may occur as soon as two years from the initial deployment.
Here are the scenarios where STS signing certificate is expected to have life time around 2 years:
Note: When the STS certificate expires, it does so without warning. On some systems, this expiry may occur as soon as two years from the initial deployment.
Here are the scenarios where STS signing certificate is expected to have life time around 2 years:
- Fresh installation of PSC/vCenter Server 6.5 starting with U2 or later (6.5 lines only).
- Fresh installation of PSC/vCenter Server 6.5 U2 or any later 6.5 releases and upgraded to a later version including 6.7 and 7.0.
- STS signing certificate has been replaced using certool post installation of PSC or vCenter Server.
- STS signing certificate has been replaced with custom certificate (Internal/External CA Signed).
Resolution
To resolve this issue:
Note: In case you're using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure.
The script will ask for the SSO administrator password and then proceed to regenerate and replace STS certificate.
This is an example of a successful output
Generating New STS Certificate
Status : Success
Using config file : C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg
Status : Success
User DN is: cn=administrator,cn=users,dc=vsphere,dc=local
Successfully deleted cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
Successfully deleted cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
vCenter Server Version is 6.7.0.31555 Build 16046470
All STS Tenant branches deleted!
Re-creating STS tenant
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/C:/Program%20Files/VMware/vCenter%20Server/VMware%20Identity%20Services/log4j-slf4j-impl-2.11.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/Program%20Files/VMware/vCenter%20Server/VMware%20Identity%20Services/slf4j-log4j12-1.6.4.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/ProgramData/VMware/vCenterServer/runtime/VMwareSTSService/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.11.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/ProgramData/VMware/vCenterServer/runtime/VMwareSTSService/webapps/ROOT/WEB-INF/lib/slf4j-log4j12-1.7.26.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
STS Certificate Replaced Successfully!!, please restart the services
Since the STS certificate has been replaced, you may need to re-register external solutions (SRM, NSX, etc.)
- Download the attached "fixsts.ps1" from this article and upload to affected PSC or VC with embedded PSC on C:\Temp or any other folder available.
- If the vCenter Server version is lower than 6.7 Update 3g, download the attached "vmware-identity-sso-config67u3g.jar" from this article and upload to affected PSC or VC with embedded PSC in the same folder as step 1.
- Open a Powershell Session as administrator (Start > Search> Powershell > Run as administrator).
- Change directory to the folder in which you uploaded the file using cd "path to file" .
- run ./fixsts.ps1.
- Restart services on all vCenters and/or PSCs in your SSO domain.
- Replace any other expired certificates you might have, using certificate manager as shown in How to use vSphere Certificate Manager to Replace SSL Certificates.
The following one-liner can determine other expired certificates for the Windows vCenter Server, this command needs to be executed in PowerShell :
$VCInstallHome = [System.Environment]::ExpandEnvironmentVariables("%VMWARE_CIS_HOME%");foreach ($STORE in & "$VCInstallHome\vmafdd\vecs-cli" store list){Write-host STORE: $STORE;& "$VCInstallHome\vmafdd\vecs-cli" entry list --store $STORE --text | findstr /C:"Alias" /C:"Not After"}
Note: If you replaced Machine SSL or VMCA Root certificates, you will need to re-register 2nd party solutions such as NSX, SRM, and vSphere Replication.
Note: If you replaced Machine SSL or VMCA Root certificates, you will need to re-register 2nd party solutions such as NSX, SRM, and vSphere Replication.
Note: In case you're using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure.
The script will ask for the SSO administrator password and then proceed to regenerate and replace STS certificate.
This is an example of a successful output
Generating New STS Certificate
Status : Success
Using config file : C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg
Status : Success
User DN is: cn=administrator,cn=users,dc=vsphere,dc=local
Successfully deleted cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
Successfully deleted cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local
vCenter Server Version is 6.7.0.31555 Build 16046470
All STS Tenant branches deleted!
Re-creating STS tenant
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/C:/Program%20Files/VMware/vCenter%20Server/VMware%20Identity%20Services/log4j-slf4j-impl-2.11.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/Program%20Files/VMware/vCenter%20Server/VMware%20Identity%20Services/slf4j-log4j12-1.6.4.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/ProgramData/VMware/vCenterServer/runtime/VMwareSTSService/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.11.2.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/C:/ProgramData/VMware/vCenterServer/runtime/VMwareSTSService/webapps/ROOT/WEB-INF/lib/slf4j-log4j12-1.7.26.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
STS Certificate Replaced Successfully!!, please restart the services
Since the STS certificate has been replaced, you may need to re-register external solutions (SRM, NSX, etc.)
Additional Information
VMware Skyline Health Diagnostics for vSphere - FAQ
For more information on viewing the STS certificate and determining the expiry date please see Checking Expiration of STS Certificate on vCenter Server.
Impact/Risks:
Notes:
For more information on viewing the STS certificate and determining the expiry date please see Checking Expiration of STS Certificate on vCenter Server.
Impact/Risks:
Warning
This script interacts with the VMDIR's database. Take an offline snapshots concurrently for all vCenter Servers and Platform Service Controllers in the SSO domain before running the script.Notes:
- This script should only be run once per SSO domain.
- If you have a Horizon View set-up on site, see Connection Server unable to accept vCenter thumbprint with an error "There was an error identifying the validity of the server" (67701).
Attachments
Feedback
Yes
No
Powered by
