https://communities.sas.com/t5/Administration-and-Deployment/Services-not-restarting-after-OS-patching/m-p/933556#M28666 I think you've correctly identified the issue and solution. The SAS Secrets Manager (Vault) process has a CA with a certificate that expires earlier than the TTL for the new certificate it's trying to generate. The "renew-security-artifacts.yml" playbook should re-issue that CA certificate.<BR /><BR />Renew Security Objects Using Ansible Plays (Linux Deployment)<BR /><A href="https://go.documentation.sas.com/doc/en/calcdc/3.5/calencryptmotion/n1xdqv1sezyrahn17erzcunxwix9.htm#p0vvrppsrlw0qmn1dkgvtksncr5c" target="_blank">https://go.documentation.sas.com/doc/en/calcdc/3.5/calencryptmotion/n1xdqv1sezyrahn17erzcunxwix9.htm#p0vvrppsrlw0qmn1dkgvtksncr5c</A> Mon, 24 Jun 2024 13:26:50 GMT gwootton 2024-06-24T13:26:50Z https://communities.sas.com/t5/Administration-and-Deployment/Services-not-restarting-after-OS-patching/m-p/932668#M28639 <P><SPAN>Hi, over the weekend we did some OS security updates where our Viya install resides (linux environment).</SPAN></P><P><SPAN>After patching was complete, the services did not fully restart. </SPAN></P><P><SPAN>Basic troubleshooting of bringing the services down and back up led to a majority of them being "down" or "not ready", so we rolled back to a VSphere snapshot taken about 16~ hours before (prior to any changes taking place).&nbsp;</SPAN></P><P><SPAN>Reviewing logs, found some certificate errors. </SPAN></P><P><SPAN>2024-06-16 20:48:49.144 ERROR 16999 --- [ main] c.s.c.rest.boot.vault.CertificateUtil : service [VAULT_CERTIFICATE_REQUEST_ERROR] Vault PKI back end failed to issue certificate. </SPAN></P><P><SPAN>2024-06-16 20:47:29.064 INFO 16999 --- [ main] c.s.c.rest.boot.vault.CertificateUtil : service [VAULT_CERTIFICATE_REQUEST] Requesting SSL certificate from Vault PKI back end for: cawina06.cyphersystems.com </SPAN></P><P><SPAN>2024-06-16 20:47:29.079 WARN 16999 --- [ main] c.s.c.rest.boot.vault.CertificateUtil : service Encountered exception issuing certificate from Vault.&nbsp;</SPAN></P><P>org.springframework.vault.VaultException: Status 400: cannot satisfy request, as TTL is beyond the expiration of the CA certificate</P><P>&nbsp;</P><P>We are considering running the playbook renew-security-artifacts.yml but we are unsure of what the side effects of this would be and if we could make matters worse doing so.</P><P>&nbsp;</P><P>-Eric</P> Mon, 17 Jun 2024 15:23:39 GMT https://communities.sas.com/t5/Administration-and-Deployment/Services-not-restarting-after-OS-patching/m-p/932668#M28639 Erict 2024-06-17T15:23:39Z https://communities.sas.com/t5/Administration-and-Deployment/Services-not-restarting-after-OS-patching/m-p/933556#M28666 I think you've correctly identified the issue and solution. The SAS Secrets Manager (Vault) process has a CA with a certificate that expires earlier than the TTL for the new certificate it's trying to generate. The "renew-security-artifacts.yml" playbook should re-issue that CA certificate.<BR /><BR />Renew Security Objects Using Ansible Plays (Linux Deployment)<BR /><A href="https://go.documentation.sas.com/doc/en/calcdc/3.5/calencryptmotion/n1xdqv1sezyrahn17erzcunxwix9.htm#p0vvrppsrlw0qmn1dkgvtksncr5c" target="_blank">https://go.documentation.sas.com/doc/en/calcdc/3.5/calencryptmotion/n1xdqv1sezyrahn17erzcunxwix9.htm#p0vvrppsrlw0qmn1dkgvtksncr5c</A> Mon, 24 Jun 2024 13:26:50 GMT https://communities.sas.com/t5/Administration-and-Deployment/Services-not-restarting-after-OS-patching/m-p/933556#M28666 gwootton 2024-06-24T13:26:50Z