NSX Manager 6.2 – Lookup Service Error 8

Do you have Platform Service Controller (PSC) or vCenter configured and replaced the self signed machine certificates?  Are you looking to deploy NSX Manager 6.2?  If so you must consider the following.

NSX Manager can be configured to use Lookup Service and you can provide SSO credentials to register NSX Management Service as a solution user, to configure this the certificate installed on your PSC must be trusted.  If the self signed certificates have been replaced with Enterprise Certificates this process will fail to verify.  This is because the PSC / vCenter are configured to use the new certificate but the corresponding services such as Lookup Service have not.  NSX Manager will report the below error

NSX Management Service operation failed.(Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service, com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified)

VMware have covered this in detail here

The following will illustrate how to fix this error.  My environment I am using the vCenter appliance in embedded mode configured as a subordinate CA using an internal Enterprise CA – Windows 2012 CA.  When I try to configure Lookup Service on the NSX Manager I get the below error


First you need to check the certificates are different, enable SSH on your PSC (or vCenter appliance when using embedded).  Run the following

shell.set –enabled true


/usr/lib/vmidentity/tools/scripts/lstool.py list –url https://localhost/lookupservice/sdk –no-check-cert –ep-type com.vmware.cis.cs.identity.sso 2>/dev/null


Record the details after SSL trust in a notepad.  Now run

echo | openssl s_client -connect localhost:443


Record the details after Server Certificate.  Notice these are different.  You now need to find the certificate in the ssltrust field of the ArrayOfLookupServiceRegistrationInfo using Managed Objects Browser (MOB).  First backup the old certificate to do this connect to the PSC using WinSCP and create a folder called Cert.  Now connect to the MOB browser but browsing to the below and login with the SSO administrator account


In the value box delete all the keys so you are only left with <filterCriteria></FilterCriteria> then select Invoke Method


Do a search on the below


The box directly above this will have the Base64 of the old cert.  Copy this out to a notepad and call it old.crt.  You need to add the —–Begin Certificate—– and —–End Certificate—– with a carriage return


Using WinSCP copy this to the /Cert folder previously created.  Thats the old one backed up.

Now we need to find the fingerprint of the old cert.  Connect back to the PSC (vCenter if using embedded mode) and run the following

shell.set –enabled true


openssl x509 -in /Cert/old.crt -noout -sha1 -fingerprint


Save the fingerprint to notepad for later

Now run to get an export of the latest cert

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store MACHINE_SSL_CERT –alias __MACHINE_CERT –output /certificate/new_machine.crt



Now run the following – change the URL and Fingerprint details to match yours

cd /usr/lib/vmidentity/tools/scripts/


python ls_update_certs.py –url https://lab-vc01.vjenner.com/lookupservice/sdk –fingerprint EC:C3:98:b9:1C:EA:CD:03:5B:4F:B8:7A:80:93:2B:6B:EC:80:9A:09–certfile /Cert/new_machine.crt –user Administrator@vsphere.local –password Password


This takes a few minutes to complete, once complete you should see the services updated successfully


Thats it!  You can now configure Lookup Service on your NSX Manager.

Note – this script must be run every time the machine certificates are replaced on a embedded appliance / external PSC or vCenter with external PSC.  That means if your certs are set to 2 years remember to do this part when renewing.


Leave a comment

Your email address will not be published. Required fields are marked *

8 thoughts on “NSX Manager 6.2 – Lookup Service Error

  • Michael Greene

    When I run the command to update the certificate, I get the following error: “Modify PSC service endpoint URLs for HA: error: argument –url is required”

    I am using the following syntax: “/usr/lib/vmidentity/tools/scripts/ls_update_certs.py –-url https://vcsa.local/lookupservice/sdk –-fingerprint ‎a7:1f:c0:6c:80:43:36:1d:dd:11:92:e0:95:ef:6e:0a:81:1e:69:76 –-certfile /root/SSLCerts/ca.cer –-user administrator@vsphere.local –-password Password01″

    Not sure why the url info in not gettting passed.


  • Michael Greene


    You’re correct, I am using the embedded VCSA with no luck. I took a look at the the script to make sure I had the arguments correct and I do.

    Not quite sure at this point…


    • Kyle jenner Post author

      Hey Michael,

      One suggestion….could you double check the thumbprint for the cert matches the URL you are entering? or re run the steps to make sure the cert matches the URL you are entering?

      In my lab I can run the script with the same certs I used, ie the ones that worked in the blog, but this time I enter a made up URL and I get the same error as you.

      Good luck

  • Ahmed Atia

    Hi Kyle,

    I’m trying to build a cross-vcenter NSX environment in my lab, the deployment for first site went fine. However, for the second site, I faced the error message you describe in this post. I read your post, and can follow it, but I also read https://kb.vmware.com/kb/2132645 and they have a note that “This procedure only works in case of single site PSC with single site SSO domain.” without mentioning the reason, or providing additional details on what to do for multi-site environment.

    After searching for a while, I found nothing new, so I decided to follow the steps in this KB, and I was able to register NSX Manager to the Lookup service.

    Now I wonder if you know why VMware KB says that it only works for a single site PSC. Have I broken other things and haven’t noticed that yet?