After replacing vCenter Server certificates, WCP Service won’t start.

The last time I tried to login to PoC vCenter, I ran into problems. After checking a few things, it turned out that the problem was an expired certificate. In this case, it is easy to regenerate it using the built-in Certificate Manager on the vCenter server. Then I saw that Workloadload Management infinitely reconfigures…

1. Sympomts:

Workload Management is in Configuring state.

Kubernetes Status has some Warnings.

Let’s see at the logs from the vCenter Server:

tail -f /var/log/vmware/wcp/wcpsvc.log

There are many errors with EAM service.
When you update vCenter certificates, Certificate Manager is unable to automatically update the EAM certificate.
The workaround/soluition is to run the updateExtensionCertInVC.py to fix this problem.

2. Resolution

  1. Log in to the vCenter Server Appliance using SSH and access to the Bash shell:

2. Create “/certificate” folder and than retrieve the vpxd-extension solution user certificate and key

mkdir /certificate

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key


3. Run this command to update configuration. Remember to chage vCenter name and Administrator domain to @vsphere.local

python /usr/lib/vmware-vpx/scripts/updateExtensionCertInVC.py -e com.vmware.vim.eam -c /certificate/vpxd-extension.crt -k /certificate/vpxd-extension.key -s vmware-vcs-01.infra.home -u Administrator@vsphere.local

Successfully updated certificate for “com.vmware.vim.eam” extension line is present. That means, the procedure goes well despite SSL errros at below: [SSL:CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for ‘sdkTunnel’. (_ssl.c:1076)

4. Restart EAM service and start all other services.
If you want, you can stop all services and than, start all. In that case, change first command to:
service-control –stop -all

service-control --stop vmware-eam
service-control --start --all

5. Great, all services are up and Workload Management status is in Running state 🙂


Source:
KB from VMware: https://kb.vmware.com/s/article/80588

Leave a Reply

Your email address will not be published. Required fields are marked *