VCSA 6.7 – vpxd doesn't start after replacing machine SSL certs

This post was originally published on this site

Creating a new VCSA 6.5.0 vm using win32 GUI.

After installation completed, I want to replace machine SSL certificates using HTML5 webgui.

I imported Terena CA and then replaced machine SSL cert (key & crt). After rebooting, all works fine.



Deleting this VM, and creating a new VCSA 6.7 VM using win32 GUI and exactly the same paramaters as before (fqdn, ip, …). DNS entries are ok (FQDN to IP & IP to FQDN).

After installation completed, I imported the same certificate as before. After rebooting, when I try to access the web GUI, I’ve got the following error :


503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x00007f3890084700] _serverNamespace = / action = Allow _pipeName =/var/run/vmware/vpxd-webserver-pipe)



Trying to replace de certificate from CLI using certificate-manager :

Updated 34 service(s)

Status : 70% Completed [stopping services…]

Status : 85% Completed [starting services…]

Error while starting services, please see service-control log for more details

Status : 0% Completed [Operation failed, performing automatic rollback]              

Error while replacing Machine SSL Cert, please see /var/log/vmware/vmcad/certificate-manager.log for more information.

Performing rollback of Machine SSL Cert…

Get site nameus : 0% Completed [Rollback Machine SSL Cert…]    


This is the /var/log/vmware/vmcad/certificate-manager.log log :


2019-12-06T13:19:16.509Z INFO certificate-manager None

2019-12-06T13:19:26.519Z INFO certificate-manager Running command :- service-control –start  –all

2019-12-06T13:19:26.519Z INFO certificate-manager please see service-control.log for service status

Service-control failed. Error: Failed to start services in profile ALL. RC=2, stderr=Failed to start vpxd services. Error: Service crashed while starting

2019-12-06T13:25:38.27Z ERROR certificate-manager None


This is the vpxd.log :


–> [context]zKq7AVECAAAAAGC34QANdnB4ZAAA4AArbGlidm1hY29yZS5zbwAAWCUbAP6dGACeQCIAaXEiABtFIgDTSSIAOaIjAHFvIwA6ciMAnVYrAdRzAGxpYnB0aHJlYWQuc28uMAAC3Y4ObGliYy5zby42AA==[/context]

2019-12-06T13:23:09.269Z error vpxd[59800] [Originator@6876 sub=AuthzStorageProvider] [AuthzStorageProvider::CreateAuthzMgr] Failed to connect to IS: <N5Vmomi5Fault17HostCommunication9ExceptionE(Fault cause: vmodl.fault.HostCommunication

–> )

–> [context]zKq7AVECAAAAAGC34QASdnB4ZAAA4AArbGlidm1hY29yZS5zbwAAWCUbAP6dGAHu8VN2cHhkAAHu1VoBzsNjATdPoAGuOKACwO0BbGliYXV0aHpjbGllbnQuc28AAmkGAgLijQICxIUCAb3XngE6CVQBimhUARnGUgOQBQJsaWJjLnNvLjYAAaW+Ug==[/context]>

2019-12-06T13:23:09.270Z info vpxd[59800] [Originator@6876 sub=AuthzStorageProvider] [AuthzStorageProvider::CreateAuthzMgr] Retry for this error: attempt count 29

2019-12-06T13:23:12.314Z warning vpxd[59800] [Originator@6876 sub=VpxdAuthClient] [ConnectAndLogin] Failed to loginBySamlToken: N7Vmacore3Ssl18SSLVerifyExceptionE(SSL Exception: Verification parameters:

–> PeerThumbprint: 6B:B6:1F:29:7C:01:E8:65:09:A1:49:C2:46:71:BC:54:11:FB:7F:A8

–> ExpectedThumbprint:

–> ExpectedPeerName: localhost

–> The remote host certificate has these problems:


–> * Host name does not match the subject name(s) in certificate.)



I don’t know why ExpectedPeerName is searching for localhost, I always used fqdn and real ip during process and DNS is correctly resolving IP address & FQDN.

Either using webgui or cli for replacing the machine certificate, vpxd doesn’t launch after.

Are there new prerequisites for installing a custom SSL certificate since 6.7.0 ?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.