ESXi Maintenance mode : Failed to enter namespaces maintenance mode

Published by Valentin on

When you try to put an ESXI in maintenance mode you receive this error:

Failed to enter namespaces maintenance mode due to Error: com.vmware.vapi.std.errors.unauthenticated Messages: vapi.security.authentication.invalid<Unable to authenticate user> . Retry 1

Version of vCenter: 7.0 U3

After times of investigation, I found that there is one certificate expired: WCP

The customer, replaced the certificate by the interface, and one certificate wasn’t replaced.

WCP is the certificate link to the “Solution User”

This is the command to type for validating that the certificates aren’t expired

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo “[*] Store :” $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store $store –text | grep -ie “Alias” -ie “Not After”;done;

This command will give you the list of certificates and their aliases + Date of expiration

[*] Store : MACHINE_SSL_CERT
Alias : __MACHINE_CERT
            Not After : Oct  4 11:13:16 2025 GMT
[*] Store : TRUSTED_ROOTS
Alias : *******************************
            Not After : Oct  1 09:40:35 2031 GMT
[*] Store : machine
Alias : machine
            Not After : Oct  1 09:40:35 2031 GMT
[*] Store : vsphere-webclient
Alias : vsphere-webclient
            Not After : Oct  1 09:40:35 2031 GMT
[*] Store : vpxd
Alias : vpxd
            Not After : Oct  1 09:40:35 2031 GMT
[*] Store : vpxd-extension
Alias : vpxd-extension
            Not After : Oct  1 09:40:35 2031 GMT
[*] Store : hvc
Alias : hvc
            Not After : Oct  1 09:40:35 2031 GMT
[*] Store : data-encipherment
Alias : data-encipherment
            Not After : Oct  1 09:40:35 2031 GMT
[*] Store : APPLMGMT_PASSWORD
Alias : location_password_default
[*] Store : SMS
Alias : sms_self_signed
            Not After : Oct  6 09:45:02 2031 GMT
[*] Store : wcp
Alias : wcp
            Not After : Oct  6 09:36:18 2023 GMT

To solve the issue we just run the renew certificate script called certificate-manager:

/usr/lib/vmware-vmca/bin/certificate-manager

Option 6: Replace Solution user certificates with VMCA certificates 

You will need first to give administrator@vsphere.local user and password

Secondly fill the CSR request; the important info to modify in the function of your environment are

  • IPAddress
  • Hostname
  • VMCA Name

By replacing this certificate, the process will restart VMware vCenter Service.

Post Views: 337
Categories: SDDCvCenter
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Stretching Cluster VMware
SDDC

How to stretch a VCF Cluster: A Comprehensive Guide

Learn how to stretch a VCF cluster with this detailed guide. From JSON configuration to NSX and vSAN setup, find everything you need to know

vCenter

How to create a SSH Tunnel with vCenter

I’m writing this post because multiple times I forgot how to set up an SSH Tunnel… Also, I want to share with you how I did it, and for me, as a tip, I will Read more…

SDDC

Proxy enable: Failed to deploy OVF Package

With time, and the evolution of vSphere products like VMware Lifecycle Manager; it’s possible that you stopped to use UMDS service (Update Manager Download Service). For just enabling the proxy feature on the vCenter management Read more…