vcsa6.7更换证书
今天一早,有现场反馈,vcenter无法登录,估计到可能是证书到期了。通过查看你sts不过期,直接更新全部证书。在浏览器中确认下,确实是证书到期的问题。
今天一早,有现场反馈,vcenter无法登录,估计到可能是证书到期了
在浏览器中确认下,确实是证书到期的问题
通过查看sts不过期,直接更新全部证书
To escape to local shell, press 'Ctrl+Alt+]'.
VMware vCenter Server Appliance 6.7.0.48000
WARNING! The remote SSH server rejected X11 forwarding request.
Connected to service
* List APIs: "help api list"
* List Plugins: "help pi list"
* Launch BASH: "shell"
Command> shell
Shell access is granted to root
root@vcsa70 [ ~ ]# cd /opt/
root@vcsa70 [ /opt ]# python checksts.py
2 VALID CERTS
================
LEAF CERTS:
[] Certificate BF:13:8A:E6:68:3A:09:3E:C1:0C:1F:A5:36:70:45:96:83:90:86:3B will expire in 2916 days (8 years).
ROOT CERTS:
[] Certificate 64:D1:EB:6D:BB:3B:12:89:14:FD:34:C6:13:6C:38:7B:95:41:53:C8 will expire in 2916 days (8 years).
0 EXPIRED CERTS
================
LEAF CERTS:
None
ROOT CERTS:
None
第一步操作:VMware Knowledge Base 下载fixsts.sh,上传到vcsa机器中,执行
chmod +x fixsts.sh
./fixsts.sh
第二步操作 root@vcsa70 [ /opt ]# /usr/lib/vmware-vmca/bin/certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.7 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 8
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y
Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:
Please configure certool.cfg with proper values before proceeding to next step.
Press Enter key to skip optional parameters or use Default value.
Enter proper value for 'Country' [Default value : US] :
Enter proper value for 'Name' [Default value : CA] :
Enter proper value for 'Organization' [Default value : VMware] :
Enter proper value for 'OrgUnit' [Default value : VMware Engineering] :
Enter proper value for 'State' [Default value : California] :
Enter proper value for 'Locality' [Default value : Palo Alto] :
Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 172.16.55.150
Enter proper value for 'Email' [Default value : email@acme.com] :
Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vcsa70.vsphere.local
Enter proper value for VMCA 'Name' :vcsa70.vsphere.local
Continue operation : Option[Y/N] ? : y
You are going to reset by regenerating Root Certificate and replace all certificates using VMCA
Continue operation : Option[Y/N] ? : y
Get site nameCompleted [Reset Machine SSL Cert...]
default-site
Lookup all services
Get service default-site:3b7181fa-70c4-4118-89e0-3d99dc164964
Update service default-site:3b7181fa-70c4-4118-89e0-3d99dc164964; spec: /tmp/svcspec__46t7jh3
Get service default-site:08c253b1-fc95-4f6a-a9a1-b47faa948b31
Update service default-site:08c253b1-fc95-4f6a-a9a1-b47faa948b31; spec: /tmp/svcspec_les95vkq
Get service default-site:8c924001-2087-49e7-ac3c-d4961109341e
Update service default-site:8c924001-2087-49e7-ac3c-d4961109341e; spec: /tmp/svcspec_tdg0c8xq
Get service 97f94ee9-c8ef-4188-a81d-9bc58966c2d1
Update service 97f94ee9-c8ef-4188-a81d-9bc58966c2d1; spec: /tmp/svcspec_4t9ta9ig
Get service 4e0a5285-ac11-4390-8334-12b2c20e7a08
Update service 4e0a5285-ac11-4390-8334-12b2c20e7a08; spec: /tmp/svcspec_cehncbzm
Get service 46bbb5ed-ac1b-46dc-90b5-4110e5dce6fd
Update service 46bbb5ed-ac1b-46dc-90b5-4110e5dce6fd; spec: /tmp/svcspec_qx4aonx3
Get service edfc9b83-4e5c-42c8-8327-ae192f2cb35c
Update service edfc9b83-4e5c-42c8-8327-ae192f2cb35c; spec: /tmp/svcspec_y_soga0l
Get service c1162bf6-a305-4ffa-8c0c-59393882e1d9
Update service c1162bf6-a305-4ffa-8c0c-59393882e1d9; spec: /tmp/svcspec_9759e4c5
Get service 661903da-f96a-4d3a-8f06-f2215dc6c87a
Update service 661903da-f96a-4d3a-8f06-f2215dc6c87a; spec: /tmp/svcspec_y13u7nlu
Get service 520fecd6-c012-49c5-b89d-00d139f7aed3
Update service 520fecd6-c012-49c5-b89d-00d139f7aed3; spec: /tmp/svcspec_wa9n9nzs
Get service 05a1d488-b400-449b-af28-7f2c0f9f6ccd
Update service 05a1d488-b400-449b-af28-7f2c0f9f6ccd; spec: /tmp/svcspec_fb6kllam
Get service 6bfd3389-28a8-424c-8202-26c9615f7ab5_com.vmware.vsphere.client
Don't update service 6bfd3389-28a8-424c-8202-26c9615f7ab5_com.vmware.vsphere.client
Get service 560fdcaa-a894-42e6-8c80-b0b970df8967
Update service 560fdcaa-a894-42e6-8c80-b0b970df8967; spec: /tmp/svcspec_q406muin
Get service e58fcbfa-72aa-4320-9e30-f1c9b60d17b5
Update service e58fcbfa-72aa-4320-9e30-f1c9b60d17b5; spec: /tmp/svcspec_sfmiv4y_
Get service 1a1400dd-b989-4ca6-a4a1-43e1cddcbe3e
Update service 1a1400dd-b989-4ca6-a4a1-43e1cddcbe3e; spec: /tmp/svcspec_eeulrhjh
Get service 7e6484fd-c567-408c-a606-1e5b0c13cfe1
Update service 7e6484fd-c567-408c-a606-1e5b0c13cfe1; spec: /tmp/svcspec_eso7rlxq
Get service 48366f65-140a-4aac-8dc2-847aaca2a3c1
Update service 48366f65-140a-4aac-8dc2-847aaca2a3c1; spec: /tmp/svcspec_l747e9cv
Get service 44e0d326-a382-4cb5-98f9-b2253cc8d484
Update service 44e0d326-a382-4cb5-98f9-b2253cc8d484; spec: /tmp/svcspec_mgynon8l
Get service cd66a42b-c604-4124-914a-aeef391abab4
Update service cd66a42b-c604-4124-914a-aeef391abab4; spec: /tmp/svcspec_hytjxkcn
Get service d4b09554-1429-4879-adde-496ed3df6206
Update service d4b09554-1429-4879-adde-496ed3df6206; spec: /tmp/svcspec__2ahg8l6
Get service 65987a91-c7d3-4cc5-84b6-3481045788ef
Update service 65987a91-c7d3-4cc5-84b6-3481045788ef; spec: /tmp/svcspec_ijm0zbsl
Get service 6bfd3389-28a8-424c-8202-26c9615f7ab5_com.emc.avamar.vmware.vcs.SnapshotManagerDelete
Don't update service 6bfd3389-28a8-424c-8202-26c9615f7ab5_com.emc.avamar.vmware.vcs.SnapshotManagerDelete
Get service 6bfd3389-28a8-424c-8202-26c9615f7ab5
Update service 6bfd3389-28a8-424c-8202-26c9615f7ab5; spec: /tmp/svcspec_t4p6faio
Get service 98150872-4642-4c2b-bb82-7ed5df33868e
Update service 98150872-4642-4c2b-bb82-7ed5df33868e; spec: /tmp/svcspec_1w_3n5az
Get service 8efaf1fc-6d69-4d53-80fb-6af0e5b85773
Update service 8efaf1fc-6d69-4d53-80fb-6af0e5b85773; spec: /tmp/svcspec_8v3l46d6
Get service 81ed30c6-225a-4f1d-af1e-05e48b85063c
Update service 81ed30c6-225a-4f1d-af1e-05e48b85063c; spec: /tmp/svcspec_p1dhe0by
Get service ac2864d1-d7de-4c0c-a422-83196893b816
Update service ac2864d1-d7de-4c0c-a422-83196893b816; spec: /tmp/svcspec_awqmtwct
Get service 23d36c57-8756-4425-b8cd-b0c8293229fb
Update service 23d36c57-8756-4425-b8cd-b0c8293229fb; spec: /tmp/svcspec_nnmqzg8l
Get service 1ec29598-0444-4703-ae87-be71d2067cc1
Update service 1ec29598-0444-4703-ae87-be71d2067cc1; spec: /tmp/svcspec_vdda4y_t
Get service 50a871dc-5505-4e8b-9a77-dbbefc51523f
Update service 50a871dc-5505-4e8b-9a77-dbbefc51523f; spec: /tmp/svcspec_4967le27
Get service d4b09554-1429-4879-adde-496ed3df6206_authz
Update service d4b09554-1429-4879-adde-496ed3df6206_authz; spec: /tmp/svcspec_pd07id8q
Get service 95d8bb3b-cc7e-4f25-bbb2-f218d23ca1c9
Update service 95d8bb3b-cc7e-4f25-bbb2-f218d23ca1c9; spec: /tmp/svcspec_kbp4dq_n
Get service d5541d82-dad1-44e5-b8ea-bd9f04ee48d7
Update service d5541d82-dad1-44e5-b8ea-bd9f04ee48d7; spec: /tmp/svcspec_dm1_y77p
Get service 20fcaa73-0c79-469f-a042-0c3abc11f960
Update service 20fcaa73-0c79-469f-a042-0c3abc11f960; spec: /tmp/svcspec_4wr048yb
Get service 6bfd3389-28a8-424c-8202-26c9615f7ab5_com.emc.avamar.vmware.vcs.deploymanager
Don't update service 6bfd3389-28a8-424c-8202-26c9615f7ab5_com.emc.avamar.vmware.vcs.deploymanager
Get service c2a3cded-c2c1-494f-a920-b9c9a7bbb6ab
Update service c2a3cded-c2c1-494f-a920-b9c9a7bbb6ab; spec: /tmp/svcspec_3rf3cphw
Get service d4b09554-1429-4879-adde-496ed3df6206_kv
Update service d4b09554-1429-4879-adde-496ed3df6206_kv; spec: /tmp/svcspec_9479ipym
Get service 6bfd3389-28a8-424c-8202-26c9615f7ab5_vcbimage
Don't update service 6bfd3389-28a8-424c-8202-26c9615f7ab5_vcbimage
Updated 34 service(s)
Status : 60% Completed [Reset vpxd-extension Cert...]
2023-06-06T03:10:11.257Z Updating certificate for "com.vmware.vim.eam" extension
2023-06-06T03:10:11.683Z Updating certificate for "com.vmware.rbd" extension
2023-06-06T03:10:12.094Z Updating certificate for "com.vmware.imagebuilder" extension
Reset status : 85% Completed [starting services...]
Reset status : 100% Completed [Reset completed successfully]
root@vcsa70 [ /opt ]#
如果vcsa不让上传,先ssh登录vcsa中执行 chsh -s /bin/bash root
故障处理:
在 vCenter Server 6.x 中替换 vCenter Server 证书后,ESX Agent Manager 解决方案用户无法登录 (2112577)
root@vcsa70 [ ~ ]# mdir /certificate
root@vcsa70 [ ~ ]# cd /certificate
root@vcsa70 [ /certificate ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt
root@vcsa70 [ /certificate ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key
root@vcsa70 [ /certificate ]# python /usr/lib/vmware-vpx/scripts/updateExtensionCertInVC.py -e com.vmware.vim.eam -c /certificate/vpxd-extension.crt -k /certificate/vpxd-extension.key -s vcsa70.abdc.com -u Administrator@vsphere.local
Password to connect to VC server for user="Administrator@vsphere.local":
2024-04-09T02:22:42.293Z Updating certificate for "com.vmware.vim.eam" extension
2024-04-09T02:22:42.361Z Successfully updated certificate for "com.vmware.vim.eam" extension
2024-04-09T02:22:42.383Z Verified login to vCenter Server using certificate="/certificate/vpxd-extension.crt" is successful
root@vcsa70 [ /certificate ]# service-control --stop vmware-eam
Operation not cancellable. Please wait for it to finish...
Performing stop operation on service eam...
Successfully stopped service eam
root@vcsa70 [ /certificate ]# service-control --start vmware-eam
Operation not cancellable. Please wait for it to finish...
Performing start operation on service eam...
Successfully started service eam
针对VCSA查看Solution User证书,除参考KB2111411之外,还可以运行命令来检查:
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!
更多推荐
所有评论(0)