Showing posts with label vCenter Server Health Check. Show all posts
Showing posts with label vCenter Server Health Check. Show all posts

Fix VMware vCenter 503 Service Unavailable Error – Step-by-Step Troubleshooting Guide

 Fix VMware vCenter 503 Service Unavailable Error – Step-by-Step Troubleshooting Guide

Whether in a production or test environment, everyone often overlooks the vCenter certificate expiration date, leading to situations where vCenter suddenly reports an error when managing hosts or VMs, preventing normal access to the vCenter web console.503 error, unable to enter the vCenter web console normally


When accessing vCenter via a web browser, an error is reported: 503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x0000563fa6eb6ac0] _serverNamespace = / action = Allow _pipeName =/var/run/vmware/vpxd-webserver-pipe), no matter how many times vCenter is restarted, it doesn't help. Restarting all vCenter services also doesn't bring them up.

Problem Analysis:

A vCenter 503 error typically indicates that critical vCenter Server services, such as vpxd, have not been started. At this point, you can prioritize checking if the vCenter certificate has expired. Since the vCenter web console is inaccessible, you can only check and fix it via the shell.

What Causes the vCenter 503 Service Unavailable Error?

The 503 Service Unavailable error in VMware vCenter typically occurs when the vSphere Web Client cannot connect to backend services. Common causes include:

  • vCenter Server services stopped or failed to start.

  • Database connectivity issues.

  • Resource exhaustion (CPU, RAM, or disk).

  • SSL/TLS certificate misconfigurations.

  • Damaged or outdated vCenter installation.

Solution:

Before you start: It is recommended to take a snapshot of the virtual machine before making any changes to it!

1. Access vCenter's FQDN or IP address plus port 5480 in your browser (e.g., https://vc.lab.local:5480 or https://192.168.1.1:5480). In the left navigation bar, click "Access", and enable the "SSH Login" function in the "Edit" section on the right.





2. Use WinSCP or other SCP tools to upload the checksts.py certificate detection tool (available at the end of this article) to the /tmp directory of vCenter. If WinSCP reports an error during upload, such as "Received too large (1433299822 B) SFTP packet. Max supported packet size is 1024000 B", first SSH into vCenter and run the following command, then try uploading again:

  
chsh -s /bin/bash root

3. Run the script to check the certificate status

  
cd /tmp
python checksts.py


As shown in the figure above, there are two expired certificates in "EXPIRED CERTS", which prevent vCenter from starting normally.

4. If expired certificates are found, you need to upload the fixsts.sh certificate repair tool (this tool can be obtained at the end of the article) to the /tmp directory via WinSCP to repair the certificates.

  
cd /tmp
chmod 777 fixsts.sh
./fixsts.sh
service-control --stop --all && service-control --start --all

5. After waiting for some time, re-access the vCenter URL in the browser, and you can log in normally.

6. If vCenter has not recovered after the above operations, you can try to use the VMCA tool to update all certificates. First, log in to the vCenter shell and run the following command:

  
/usr/lib/vmware-vmca/bin/certificate-manager

Type the number 8, press Enter, and enter the following information as appropriate to update all certificates:

  
Please configure certool.cfg file with proper values before proceeding to next step.
Press Enter key to skip optional parameters or use Default value.
Enter proper value for 'Country' [Default value : US] : Press Enter for default
Enter proper value for 'Name' [Default value : CA] : Press Enter for default
Enter proper value for 'Organization' [Default value : VMware] : Default enter to confirm
Enter proper value for 'OrgUnit' [Default value : VMware Engineering] : Default enter to confirm
Enter proper value for 'State' [Default value : California] : Default enter to confirm
Enter proper value for 'Locality' [Default value : Palo Alto] : Press Enter for default
Enter proper value for 'IPAddress' [optional] : Enter vCenter IP address
Enter proper value for 'Email' [Default value : email@acme.com] : Press Enter for default
Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.example.com] : If vCenter has an FQDN, enter the FQDN; if it's an IP installation, enter the IP
Enter proper value for VMCA 'Name': (Note: This information will be requested from vCenter Server 6.0 U3, 6.5 and later builds, you may use the FQDN/PNID of vCenter Server for this field. It will be used as a Common Name for the VMCA Root Certificate) input vCenter IP

Best Practices to Avoid Future 503 Errors

  • Regularly update vCenter Server to the latest stable build.

  • Monitor resource usage with vSphere monitoring tools.

  • Schedule service restarts during maintenance windows.

  • Back up the vCenter database and configuration before upgrades.

Official reference links:

https://knowledge.broadcom.com/external/article?articleNumber=337535


https://knowledge.broadcom.com/external/article/318968


https://knowledge.broadcom.com/external/article?articleId=318767


https://knowledge.broadcom.com/external/article?legacyId=76719



The mentioned checksts.py and fixsts.sh tools. Follow the official account and reply with [503] to get them.


Posted by at No comments:
Tags , , , , ,
Subscribe to: Posts (Atom)