Open the vCenter webpage and display no healthy upstream error, as shown in the figure
Solution:
1. Use SSH to access the VSCA host.
2. Enter the following command to check the validity period of the certificate and find that the __MACHINE_CERT certificate has expired.
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list - -store $i --text | egrep "Alias|Not After"; done STORE MACHINE_SSL_CERT Alias: __MACHINE_CERT Not After : May 13 19:13:28 2023 GMT STORE TRUSTED_ROOTS Alias : 6a23dc81223746a515a85e9cca52764b2e3abb00 Not After : May 8 07:13:28 2031 GMT STORE TRUSTED_ROOT_CRLS Alias : 64349b77335ceb78c86e429d2bc5592bd946d81f STORE machine Alias : machine Not After : May 8 07:13:28 2031 GMT STORE vsphere-webclient Alias: vsphere-webclient Not After : May 8 07:13:28 2031 GMT STORE vpxd Alias : vpxd Not After : May 8 07:13:28 2031 GMT STORE vpxd-extension Alias : vpxd-extension Not After : May 8 07:13:28 2031 GMT STORE hvc Alias : hvc Not After : May 8 07:13:28 2031 GMT STORE data-encipherment Alias : data-encipherment Not After : May 8 07:13:28 2031 GMT STORE APPLMGMT_PASSWORD STORE SMS Alias : sms_self_signed Not After : May 13 07:19:47 2031 GMT STORE wcp Alias : wcp Not After : May 8 07:13:28 2031 GMT
3. Execute the following command to regenerate the certificate.
/usr/lib/vmware-vmca/bin/certificate-manager _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | | | *** Welcome to the vSphere 7.0 Certificate Manager *** | | | | -- Select Operation -- | | | | 1. Replace Machine SSL certificate with Custom Certificate | | | 2. Replace VMCA Root certificate with Custom Signing | | Certificate and replace all Certificates | | | 3. Replace Machine SSL certificate with VMCA Certificate | | | 4. Regenerate a new VMCA Root Certificate and | | replace all certificates | | | | 5. Replace Solution user certificates with | | Custom Certificate | | NOTE: Solution user certs will be deprecated in a future | | release of vCenter. Refer to release notes for more details.| | | 6. Replace Solution user certificates with VMCA certificates | | | | 7. Revert last performed operation by re-publishing old | | certificates | | | 8. Reset all Certificates | |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ | Note : Use Ctrl-D to exit. Option[1 to 8]: 3 Please provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [[email protected]]:[email protected] Enter password: certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : y Press Enter key to skip optional parameters or use Previous value. Enter proper value for 'Country' [Previous value : XX] : Enter proper value for 'Name' [Previous value : XX] : XXXX Enter proper value for 'Organization' [Previous value : XX] : XXX Enter proper value for 'OrgUnit' [Previous value : IT] : Enter proper value for 'State' [Previous value : GD] : Enter proper value for 'Locality' [Previous value : SZ] : Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 10.1.248.200 Enter proper value for 'Email' [Previous value : XXXX] : Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : XXXX Enter proper value for VMCA 'Name' :XXX You are going to regenerate Machine SSL cert using VMCA Continue operation : Option[Y/N] ? : y Status : 100% Completed [All tasks completed successfully]
4. Refer to step 2 to recheck the validity period of the certificate, and finally restart VSCA
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list - -store $i --text | egrep "Alias|Not After"; done STORE MACHINE_SSL_CERT Alias: __MACHINE_CERT Not After : May 23 08:45:22 2025 GMT STORE TRUSTED_ROOTS Alias : 6a23dc81223746a515a85e9cca52764b2e3abb00 Not After : May 8 07:13:28 2031 GMT STORE TRUSTED_ROOT_CRLS Alias : 1e1215514e59417072d1522937e387a693a67af8 STORE machine Alias : machine Not After : May 8 07:13:28 2031 GMT STORE vsphere-webclient Alias: vsphere-webclient Not After : May 8 07:13:28 2031 GMT STORE vpxd Alias : vpxd Not After : May 8 07:13:28 2031 GMT STORE vpxd-extension Alias : vpxd-extension Not After : May 8 07:13:28 2031 GMT STORE hvc Alias : hvc Not After : May 8 07:13:28 2031 GMT STORE data-encipherment Alias : data-encipherment Not After : May 8 07:13:28 2031 GMT STORE APPLMGMT_PASSWORD STORE SMS Alias : sms_self_signed Not After : May 13 07:19:47 2031 GMT STORE wcp Alias : wcp Not After : May 8 07:13:28 2031 GMT STORE BACKUP_STORE Alias : bkp___MACHINE_CERT Not After : May 13 19:13:28 2023 GMT Alias : bkp_machine Not After : May 8 07:13:28 2031 GMT Alias : bkp_vsphere-webclient Not After : May 8 07:13:28 2031 GMT Alias : bkp_vpxd Not After : May 8 07:13:28 2031 GMT Alias : bkp_vpxd-extension Not After : May 8 07:13:28 2031 GMT Alias : bkp_hvc Not After : May 8 07:13:28 2031 GMT Alias: bkp_wcp Not After : May 8 07:13:28 2031 GMT
Refer to the official website link:
VMware Knowledge Base