VMware VCSA Update Manager - Service crashed while starting

If you have used custom certificates and are having problems upgrading VMware VCSA or are having problems trying to perform a backup, you may have a problem with the VMware Update Manager service. VMware's knowledgebase article applies to this issue: https://kb.vmware.com/s/article/2121689.

This procedure should fix the thumbprint mismatch which is causing the problem.

SSH into your VMware vCentre Server Appliance.

ssh root@<HOSTNAME>

If your SSH session doesn't automatically enter a shell run the following.


Run the following command to get the currentl Machine SSL Certificate.

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /tmp/machineSSL.crt

Run the following command to get the SSL trust certificate.

(echo "-----BEGIN CERTIFICATE-----";/usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso 2>/dev/null |grep "SSL trust: " |cut -f2 -d: |cut -b2-;echo "-----END CERTIFICATE-----") > /tmp/newcert.crt

Get the thumbprints of the two certificates.

openssl x509 -in /tmp/machineSSL.crt -fingerprint -noout
openssl x509 -in /tmp/newcert.crt -fingerprint -noout

If the two thumbprints do not match then you need to perform the following.

/usr/lib/vmidentity/tools/scripts/ls_update_certs.py --url http://localhost:7080/lookupservice/sdk --fingerprint <SECOND_FINGERPRINT> --certfile /tmp/machineSSL.crt --user administrator@vsphere.local --password <PASSWORD>

Start the VMware Update Manager service.

service-control --start vmware-updatemgr

Page top