Search the VMware Knowledge Base (KB)
View by Article ID

After an upgrade from vCenter Server 5.x to vCenter Server 6.0, you see a critical alarm for certificate expiry (2120105)

  • 6 Ratings

Symptoms

After upgrading from vCenter Server 5.x to 6.0, you experience these symptoms:

  • You see a critical alarm in the vSphere Client or vSphere Web Client for a certificate expiry.
  • There are no expiring certificates in the environment.
  • Restarting VMware VirtualCenter Server after acknowledging the alarm cause the alarm to reappear.
In a VMware vSAN environment, you experience these symptoms:
  • Cannot see or manually add VMware vSAN Storage Providers in the VMware vSphere Web Client
  • Manually adding Storage Provider for vSAN in the vSphere Web client fails
  • In the VMware vSphere Web Client, VMware vSAN Storage Providers that were previously online report an offline or disconnected status
  • You see the error:

    The Register new storage provider operation failed for the entity with the following error message.
    A Problem was encountered while registering the provider


  • In the %ProgramData%\logs\vmware-sps\sps.log file on vCenter Server, you see entries similar to:

    ...] ERROR opId=90c4a3b5-0335-4451-b5a1-569f9360724a com.vmware.vim.sms.provider.vasa.VasaProviderImpl - SetContext failed!
    com.vmware.vim.sms.fault.VasaServiceException: org.apache.axis2.AxisFault: certificate has expired

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Cause

This issues occurs when the Storage Monitoring Service (SMS) 5.x certificate is still in the VECS (VMware Endpoint Certificate Store) and has expired. This certificate is no longer used in version vCenter Server 6.0.

Resolution

To resolve this issue, remove the expired certificate from the VECS:

For Windows-based vCenter Server:
  1. Log in to vCenter Server as an administrative user.
  2. Open a command prompt and navigate to C:\Program Files\VMware\vCenter Server\vmafdd.
  3. List all the stores present in VECS with this command:

    vecs-cli store list

  4. List all the entries in SMS store with this command:

    vecs-cli entry list --store sms

  5. Delete the sms_self_signed certificate:

    vecs-cli entry delete --store sms --alias sms_self_signed

  6. Restart the VMware vSphere Profile-Driven Storage Service. For more information, see Stopping, starting, or restarting VMware vCenter Server 6.0 services (2109881).


    Note: To verify that the SMS store certificate is recreated, wait for few minutes and then run the vecs-cli entry list --store sms command.

For vCenter Server Appliance:
  1. Log in as root using an SSH or console session on vCenter Server Appliance.
  2. Run this command to enable the shell:

    shell.set --enabled true

  3. Run this command to launch the shell:

    shell

  4. Navigate to /usr/lib/vmware-vmafd/bin.
  5. Run this command to list all the stores present in VECS:

    ./vecs-cli store list

  6. Run this command to list all the entries in SMS store:

    ./vecs-cli entry list --store sms

  7. Delete the sms_self_signed certificate:

    ./vecs-cli entry delete --store sms --alias sms_self_signed

  8. Restart SPS service with these commands:

    service-control --stop vmware-sps

    service-control --start vmware-sps


    Note
    : To verify that the SMS store certificate is recreated, wait for few minutes and then run the ./vecs-cli entry list --store sms command.

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 6 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 6 Ratings
Actions
KB: