EM 12c: The Enterprise Manager 12c Cloud Control OMS Fails to Start if WLS Server Certificates are Expired (Doc ID 1603843.1)

Backend WLS or EM application seems to be down

$emctl status oms -details
Oracle Enterprise Manager Cloud Control 12c Release 3
Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved.
Enter Enterprise Manager Root (SYSMAN) Password :
Console Server Host : OMSHOSTNAME.DOMAINNAME
HTTP Console Port : 7797
HTTPS Console Port : 7808
HTTP Upload Port : 4897
HTTPS Upload Port : 4906
EM Instance Home : /u03/12c3vh/gc_inst/em/EMGC_OMS1
OMS Log Directory Location : /u03/12c3vh/gc_inst/em/EMGC_OMS1/sysman/log
OMS is not configured with SLB or virtual hostname
Agent Upload is locked.
OMS Console is locked.
Active CA ID: 6
Console URL: https://OMSHOSTNAME.DOMAINNAME:7808/em
Upload URL: https://OMSHOSTNAME.DOMAINNAME:4906/empbs/upload

WLS Domain Information
Domain Name : GCDomain
Admin Server Host : OMSHOSTNAME.DOMAINNAME
Admin Server HTTPS Port: 7199

Managed Server Information
Managed Server Instance Name: EMGC_OMS1
Managed Server Instance Host: OMSHOSTNAME.DOMAINNAME
WebTier is Up
Oracle Management Server is Up

$emctl start oms
Oracle Enterprise Manager Cloud Control 12c Release 3
Copyright (c) 1996, 2013 Oracle Corporation. All rights reserved.
Starting Oracle Management Server...
Starting WebTier...
WebTier Successfully Started
Node Manager Could Not Be Started
Check Node Manager log file for details:
/u03/12c3vh/gc_inst/NodeManager/emnodemanager20130924184822/nodemanager.log
Oracle Management Server is Down

<Nov 27, 2013 4:44:55 PM> <WARNING> <Uncaught exception in server
handlerjavax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert was
received from OMSHOSTNAME.DOMAINNAME - <IP ADDRESS>. Check the peer to determine
why it rejected the certificate chain (trusted CA configuration, hostname
verification). SSL debug tracing may be required to determine the exact reason the
certificate was rejected.>

2013-11-27 16:19:33,736 [main] ERROR util.EmctlUtil logp.251 - Failed to get repos
conn by connecting to AdminServer. Ignoring.
java.io.IOException
at weblogic.management.remote.common.ClientProviderBase.makeConnection
(ClientProviderBase.java:196)
at weblogic.management.remote.common.ClientProviderBase.newJMXConnector
(ClientProviderBase.java:84)
at javax.management.remote.JMXConnectorFactory.newJMXConnector
(JMXConnectorFactory.java:338)
at javax.management.remote.JMXConnectorFactory.connect
(JMXConnectorFactory.java:247)
at oracle.sysman.util.jmx.JMXUtil.getMBeanServerConn(JMXUtil.java:103)
at oracle.sysman.emctl.util.EmctlUtil.getMBeanServerConn(EmctlUtil.java:672)
at oracle.sysman.emctl.util.EmctlUtil.getReposConn(EmctlUtil.java:710)
at oracle.sysman.emctl.util.EmctlUtil.getOMSSetupInfo(EmctlUtil.java:818)
at oracle.sysman.emctl.oms.PrintOMSSetupInfo.main(PrintOMSSetupInfo.java:118)
Caused by: javax.naming.CommunicationException [Root exception is
java.net.ConnectException: t3s://OMSHOSTNAME.DOMAINNAME:7199: Destination unreachable; nested
exception is:
javax.net.ssl.SSLKeyException: [Security:090548]The certificate chain received
from OMSHOSTNAME.DOMAINNAME - <IP ADDRESS> contained a V3 CA certificate which was missing the
basic constraints extension; No available router to destination]

or

2013-11-15 10:35:22,352 [Thread-1] INFO commands.BaseCommand run.554 -
<OUT>NMProcess: javax.net.ssl.SSLKeyException: [Security:090482]BAD_CERTIFICATE alert
was received from OMSHOSTNAME.DOMAINNAME - <IP ADDRESS>. Check the peer to
determine why it rejected the certificate chain (trusted CA configuration, hos
tname verification). SSL debug tracing may be required to determine the exact reason
the certificate was rejected.