Azure Arc Error – The Server Certificate has Expired

Last Updated: 29/10/2024

I admittingly left a few of my testing servers offline for longer than I would have liked of, and these servers in particular were enrolled into Azure Arc. To which, when I was looking on the Azure portal, I was greeting with an Azure Arc error message: “The server certificate has expired, and automatic reconnection is not possible”.

Azure Arc Error Certificate Expired

After looking at a few guides and the error code, it seems as though the fix is to disconnect and remove these machines, and then re-add them into Azure Arc.

Check the Status of the Agent

In order to do this, log into your disconnected server and open up a command prompt or PowerShell as an admin. Use the following command to show the status of the agent:

azcmagent.exe show

Azure Arc Management Powershell CMD show status

As you can see from my agent, the ‘Agent Status’ is disconnected. The error code guides me to disconnecting and reconnecting.

Disconnect the Server

Use the following command to remove the server:

azcmagent.exe disconnect

azure arc agent disconnect

You will see a pop-up window that will prompt you to login. You will need to login with an account with sufficient permissions to delete the Azure Arc resource within Azure. Once the command completes, you will see that the machine is disconnected and the Azure Arc resource for that server has been deleted from the Azure portal.

Note: You will need to check and remove any resource locks associated with the Azure Arc resource. Or else you will get an error as I did.

Whilst this disconnects the agent and removes it from Azure, the agent will still be installed on your server. To remove this, navigate to Control Panel and select Programs and Features. Locate the Azure Connected Machine Agent and uninstall.

You can now rerun the configuration to onboard the machine back into Azure Arc.

Other things to note

This process creates a new resource within Azure. Any configuration you may have applied to the previous resource will need to be redone. In my case, I needed to readd the machine to the scope of a data collection rule applied. This was necessary to obtain the event logs for Microsoft Sentinel.

Leave a Reply

Your email address will not be published. Required fields are marked *