How to fix vCenter UI Alarm: Certificate Status

If you are also wondering, why does the below alarm appear on your vCenter UI? You also have no expired certificate in vCenter UI Certificate Management.

Find the below steps to investigate further:

1.    SSH into you vCenter Appliance using root credentials

Run any of the below commands to find out all the certificates and their expiration dates:

vp="/usr/lib/vmware-vmafd/bin/vecs-cli";sp="openssl x509 -noout";for s in $($vp store list | grep -Ev "* CRLS");do echo "[ $s ]";$vp entry list --store $s | awk '/^Alias :/{alias=$(NF);printf "%s\n",alias;}' | while read ca;do print f "\t[ $ca ]\n";c=$($vp entry getcert --store $s --alias $ca);ct=$(echo "$c" | $sp -text);fp=$(echo "$c" | $sp -fingerprint);ec ho "$ct"|awk -v fp="$fp" '/Before/{gsub(/^[ \t]+/,"",$0); split($0,b,":");}/After/{gsub(/^[ \t]+/,"",$0); split($0,af,":");}/Is suer:/{gsub(/^[ \t]+/,"",$0); split($0,i,":");}/Subject:/{gsub(/^[ \t]+/,"",$0); split($0,s,":");}/X.B.nts/{if($0!=""){gsub(/ ^[ \t]+/,"",$0);xc=$0;getline;gsub(/^[ 
1.    \t]+/,"",$0);xc1=$0;}}/{if($0!=""){gsub(/^[ \t]+/,"",$0);xu=$0;getline;gsub(/^[ \t]+/,"",$0);xu1=$0;}}/{if($0!=""){gsub(/^[ \t]+/,"",$0);xki=$0;getline;gsub(/^[ \t]+/,"",$0);xki1=$0;}}/X.Sub.e r/{if($0!=""){gsub(/^[ \t]+/,"",$0);xan=$0;getline;gsub(/^[ \t]+/,"",$0);xan1=$0;}}END{gsub(/^[ \t]+/,"",i[2]);gsub(/^[ \t]+/," ",s[2]);gsub(/^[ \t]+/,"",b[2]);if(b[1]!=""){ split(fp,a,"=");printf"\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%- 50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\n\n",i[1]":",i[2],s[1]":",s[2],b[1]":",b[2]":"b[3]":"b[4],af[1]":", af[2]":"af[3]":"af[4],a[1]":",a[2],xki,xki1,xan,xan1,xu,xu1,xc,xc1}}'| sed 's/ :/:/;s/critical/ /';done;done;


for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/v mware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

3. Below you can see this highlighted old and expired CSR named MACHINE_CSR in the MACHINE_SSL_CERT store is the cause of the alarm

4. Now, Delete the expired entity using the below command

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CSR

5. Re-run the command from Step 2, to check if the expired certificate is deleted

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

6. In the final step, reset the alarm to green.


Popular posts from this blog

All shared datastores failed on the host

How to Downgrade a VIB/Driver in ESXi 7

Error: "Datastore "XXX" conflicts with an existing datastore"