VMware

VCSA “Certificate Status” alarm triggered

Goodmorning crew,

This morning the built-in alarm definition “Certificate Status” (Default alarm that monitors whether a certificate is getting close to its expiration date.) has been triggered on my VSCA 7.0.0d. When reviewing Menu > Certificates > Certificate Management I see no certificates expiring any time soon (not for 10+ months). I’ve been through the VCSA logs sent to syslog and searched for certificate, expire and the likes. Nothing useful.

​

I’ve recently replaced my STS certificates. Running “python [checksts.py](https://checksts.py)” ([https://kb.vmware.com/s/article/79248](https://kb.vmware.com/s/article/79248)) leaves me with:

​

“`

`2 VALID CERTS`

`================`

`LEAF CERTS:`

`[] Certificate BF:EF:32:8A:A3:BF:DB:21:ED:2B:CF:DB:B2:1B:4B:F4:52:64:A2:FD will expire in 726 days (2 years).`

`ROOT CERTS:`

`[] Certificate 48:0E:2E:30:99:D6:4B:9A:9C:90:2B:25:A2:18:BD:65:3C:B7:85:AA will expire in 3290 days (9 years).`

`0 EXPIRED CERTS`

`================`

`LEAF CERTS:`

`None`

`ROOT CERTS:`

`None`

“`

Then I checked the individual certificates:

“`

`roost@vcsa [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store TRUSTED_ROOTS –text | less |grep “Not After”`

`Not After : Sep 18 10:12:15 2029 GMT`

`Not After : Sep 4 10:33:02 2028 GMT`

`Not After : Oct 18 08:26:50 2028 GMT`

`Not After : Oct 18 08:13:39 2038 GMT`

`roost@vcsa [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store MACHINE_SSL_CERT –text | less |grep “Not After”`

`Not After : Aug 28 08:49:09 2021 GMT`

`roost@vcsa [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store machine –text | less |grep “Not After”`

`Not After : Jul 28 07:47:24 2022 GMT`

`roost@vcsa [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store vpxd –text | less |grep “Not After”`

`Not After : Jul 28 07:47:26 2022 GMT`

`roost@vcsa [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store vpxd-extension –text | less |grep “Not After”`

`Not After : Jul 28 07:47:27 2022 GMT`

`roost@vcsa [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store vsphere-webclient –text | less |grep “Not After”`

`Not After : Jul 28 07:47:25 2022 GMT`

`roost@vcsa [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store SMS –text | less | grep “Not After”`

`Not After : Sep 10 11:50:43 2028 GMT`

`roost@vcsa [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store TRUSTED_ROOT_CRLS –text | less |grep “Not After”`

“`

I don’t see anything expiring real soon. How can I identify the certificate that’s about to expire?

[edit] edit markdown for readability[/edit]
View Reddit by zwamkatView Source

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Close