打开vCenter网页显示no healthy upstream报错，报错如图

 解决办法：

1、使用SSH访问VSCA主机。

2、输入如下命令，检查证书有效期，发现__MACHINE_CERT证书到期。

for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
STORE MACHINE_SSL_CERT
Alias :	__MACHINE_CERTNot After : May 13 19:13:28 2023 GMT
STORE TRUSTED_ROOTS
Alias :	6a23dc81223746a515a85e9cca52764b2e3abb00Not After : May  8 07:13:28 2031 GMT
STORE TRUSTED_ROOT_CRLS
Alias :	64349b77335ceb78c86e429d2bc5592bd946d81f
STORE machine
Alias :	machineNot After : May  8 07:13:28 2031 GMT
STORE vsphere-webclient
Alias :	vsphere-webclientNot After : May  8 07:13:28 2031 GMT
STORE vpxd
Alias :	vpxdNot After : May  8 07:13:28 2031 GMT
STORE vpxd-extension
Alias :	vpxd-extensionNot After : May  8 07:13:28 2031 GMT
STORE hvc
Alias :	hvcNot After : May  8 07:13:28 2031 GMT
STORE data-encipherment
Alias :	data-enciphermentNot After : May  8 07:13:28 2031 GMT
STORE APPLMGMT_PASSWORD
STORE SMS
Alias :	sms_self_signedNot After : May 13 07:19:47 2031 GMT
STORE wcp
Alias :	wcpNot After : May  8 07:13:28 2031 GMT

3、执行如下命令重新生成证书。

/usr/lib/vmware-vmca/bin/certificate-manager_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ |                                                                     ||      *** Welcome to the vSphere 7.0 Certificate Manager  ***        ||                                                                     ||                   -- Select Operation --                            ||                                                                     ||      1. Replace Machine SSL certificate with Custom Certificate     ||                                                                     ||      2. Replace VMCA Root certificate with Custom Signing           ||         Certificate and replace all Certificates                    ||                                                                     ||      3. Replace Machine SSL certificate with VMCA Certificate       ||                                                                     ||      4. Regenerate a new VMCA Root Certificate and                  ||         replace all certificates                                    ||                                                                     ||      5. Replace Solution user certificates with                     ||         Custom Certificate                                          ||         NOTE: Solution user certs will be deprecated in a future    ||         release of vCenter. Refer to release notes for more details.||                                                                     ||      6. Replace Solution user certificates with VMCA certificates   ||                                                                     ||      7. Revert last performed operation by re-publishing old        ||         certificates                                                ||                                                                     ||      8. Reset all Certificates                                      ||_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 3Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:administrator@XX.com
Enter password:
certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : yPress Enter key to skip optional parameters or use Previous value.Enter proper value for 'Country' [Previous value : XX] : Enter proper value for 'Name' [Previous value : XX] : XXXXEnter proper value for 'Organization' [Previous value : XX] : XXXEnter proper value for 'OrgUnit' [Previous value : IT] : Enter proper value for 'State' [Previous value : GD] : Enter proper value for 'Locality' [Previous value : SZ] : Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 10.1.248.200Enter proper value for 'Email' [Previous value : XXXX] : Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : XXXXEnter proper value for VMCA 'Name' :XXXYou are going to regenerate Machine SSL cert using VMCA
Continue operation : Option[Y/N] ? : y
Status : 100% Completed [All tasks completed successfully]

4、参考步骤2重新检查证书有效期，最后重启VSCA即可

for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
STORE MACHINE_SSL_CERT
Alias :	__MACHINE_CERTNot After : May 23 08:45:22 2025 GMT
STORE TRUSTED_ROOTS
Alias :	6a23dc81223746a515a85e9cca52764b2e3abb00Not After : May  8 07:13:28 2031 GMT
STORE TRUSTED_ROOT_CRLS
Alias :	1e1215514e59417072d1522937e387a693a67af8
STORE machine
Alias :	machineNot After : May  8 07:13:28 2031 GMT
STORE vsphere-webclient
Alias :	vsphere-webclientNot After : May  8 07:13:28 2031 GMT
STORE vpxd
Alias :	vpxdNot After : May  8 07:13:28 2031 GMT
STORE vpxd-extension
Alias :	vpxd-extensionNot After : May  8 07:13:28 2031 GMT
STORE hvc
Alias :	hvcNot After : May  8 07:13:28 2031 GMT
STORE data-encipherment
Alias :	data-enciphermentNot After : May  8 07:13:28 2031 GMT
STORE APPLMGMT_PASSWORD
STORE SMS
Alias :	sms_self_signedNot After : May 13 07:19:47 2031 GMT
STORE wcp
Alias :	wcpNot After : May  8 07:13:28 2031 GMT
STORE BACKUP_STORE
Alias :	bkp___MACHINE_CERTNot After : May 13 19:13:28 2023 GMT
Alias :	bkp_machineNot After : May  8 07:13:28 2031 GMT
Alias :	bkp_vsphere-webclientNot After : May  8 07:13:28 2031 GMT
Alias :	bkp_vpxdNot After : May  8 07:13:28 2031 GMT
Alias :	bkp_vpxd-extensionNot After : May  8 07:13:28 2031 GMT
Alias :	bkp_hvcNot After : May  8 07:13:28 2031 GMT
Alias :	bkp_wcpNot After : May  8 07:13:28 2031 GMT

参考官网链接：

VMware Knowledge Base