VMware集群不可访问 证书到期

报错:

HTTP状态 500 - 内部服务器错误 

原因:service-control --start vmware-vpxd 启动不了

查看内部原因是证书到期

root@localhost [ ~ ]# service-control --start vmware-vpxd

peration not cancellable. Please wait for it to finish...

Performing start operation on service vpxd...

Error executing start on service vpxd. Details {

  "resolution"null,

  "detail": [

  {

  "translatable""An error occurred while starting service '%(0)s'",

  "localized""An error occurred while starting service 'vpxd'",

  "args": [

  "vpxd"

  ],

  "id""install.ciscommon.service.failstart"

  }

  ],

  "problemId"null,

  "componentKey"null

}

Service-control failed. Error: {

  "resolution"null,

  "detail": [

  {

  "translatable""An error occurred while starting service '%(0)s'",

  "localized""An error occurred while starting service 'vpxd'",

  "args": [

  "vpxd"

  ],

  "id""install.ciscommon.service.failstart"

  }

  ],

  "problemId"null,

  "componentKey"null

}

cat /var/log/vmware/sca/sca.log

om.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted 

登录vc查看

root@localhost [ ~ ]# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

STORE MACHINE_SSL_CERT

Alias : __MACHINE_CERT

            Not After : May  9 07:33:16 2023 GMT

STORE TRUSTED_ROOTS

Alias : e09cebe9d04da849d3bca621db2ea698fd64e652

            Not After : May  4 07:26:41 2023 GMT

Alias : 0104dc7a7afa5004498ee631992e0e96a88671eb

            Not After : May  4 07:43:15 2023 GMT

STORE TRUSTED_ROOT_CRLS

Alias : 511b76b2e2e6386d2099d9aaf9843d66b1fbc8aa

Alias : 1332df98c6c8aaa33c237fccc5401e27c2abb2e4

STORE machine

Alias : machine

            Not After : May  9 07:36:52 2023 GMT

STORE vsphere-webclient

Alias : vsphere-webclient

            Not After : May  9 07:36:54 2023 GMT

STORE vpxd

Alias : vpxd

            Not After : May  9 07:36:54 2023 GMT

STORE vpxd-extension

Alias : vpxd-extension

            Not After : May  9 07:36:56 2023 GMT

STORE hvc

Alias : hvc

            Not After : May  9 07:36:58 2023 GMT

STORE data-encipherment

Alias : data-encipherment

            Not After : May  4 07:26:41 2023 GMT

STORE APPLMGMT_PASSWORD

STORE SMS

Alias : sms_self_signed

            Not After : May  9 07:31:32 2023 GMT

STORE wcp

Alias : wcp

            Not After : May  9 07:36:58 2023 GMT

STORE BACKUP_STORE

Alias : bkp___MACHINE_CERT

            Not After : May  9 19:26:41 2023 GMT

Alias : bkp_machine

            Not After : May  4 07:26:41 2033 GMT

Alias : bkp_vsphere-webclient

            Not After : May  4 07:26:41 2023 GMT

Alias : bkp_vpxd

            Not After : May  4 07:26:41 2023 GMT

Alias : bkp_vpxd-extension

            Not After : May  4 07:26:41 2023 GMT

Alias : bkp_hvc

            Not After : May  4 07:26:41 2023 GMT

Alias : bkp_wcp

            Not After : May  4 07:26:41 2023 GMT

处理过程:

root@localhost [ ~ ]#  /usr/lib/vmware-vmca/bin/certificate-manager

         _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

        |                                                                     |

        |      *** Welcome to the vSphere 6.8 Certificate Manager  ***        |

        |                                                                     |

        |                   -- Select Operation --                            |

        |                                                                     |

        |      1. Replace Machine SSL certificate with Custom Certificate     |

        |                                                                     |

        |      2. Replace VMCA Root certificate with Custom Signing           |

        |         Certificate and replace all Certificates                    |

        |                                                                     |

        |      3. Replace Machine SSL certificate with VMCA Certificate       |

        |                                                                     |

        |      4. Regenerate a new VMCA Root Certificate and                  |

        |         replace all certificates                                    |

        |                                                                     |

        |      5. Replace Solution user certificates with                     |

        |         Custom Certificate                                          |

        |         NOTE: Solution user certs will be deprecated in a future    |

        |         release of vCenter. Refer to release notes for more details.|

        |                                                                     |

        |      6. Replace Solution user certificates with VMCA certificates   |

        |                                                                     |

        |      7. Revert last performed operation by re-publishing old        |

        |         certificates                                                |

        |                                                                     |

        |      8. Reset all Certificates                                      |

        |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|

Note : Use Ctrl-D to exit.

Option[1 to 8]: 8

Do you wish to generate all certificates using configuration file : Option[Y/N] ? : Y

Please provide valid SSO and VC privileged user credential to perform certificate operations.

Enter username [Administrator@vsphere.local]:

Enter password:

Please configure certool.cfg with proper values before proceeding to next step.

Press Enter key to skip optional parameters or use Default value.

Enter proper value for 'Country' [Default value : US] :

Enter proper value for 'Name' [Default value : CA] :

Enter proper value for 'Organization' [Default value : VMware] :

Enter proper value for 'OrgUnit' [Default value : VMware Engineering] :

Enter proper value for 'State' [Default value : California] :

Enter proper value for 'Locality' [Default value : Palo Alto] :

Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 10.10.10.10

Enter proper value for 'Email' [Default value : email@acme.com] :

Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vsphere.local

Enter proper value for VMCA 'Name' :vsphere.local

Continue operation : Option[Y/N] ? : Y

You are going to reset by regenerating Root Certificate and replace all certificates using VMCA

Continue operation : Option[Y/N] ? : Y

Get site nameCompleted [Reset Machine SSL Cert...]                 

default-site

Lookup all services

Get service default-site:8d7d9dfe-a8a5-4239-98dd-11450c29e372

Update service default-site:8d7d9dfe-a8a5-4239-98dd-11450c29e372; spec: /tmp/svcspec_ofokwzjb

Get service default-site:7cce27d9-2054-42de-88d0-18e6dda92974

Update service default-site:7cce27d9-2054-42de-88d0-18e6dda92974; spec: /tmp/svcspec_o33jb36v

Get service default-site:b2989b91-cc7f-46fc-9329-51633c227544

Update service default-site:b2989b91-cc7f-46fc-9329-51633c227544; spec: /tmp/svcspec_hg_3lbrr

Get service 215a0ae7-f36c-4feb-a91b-64f542f10737

Update service 215a0ae7-f36c-4feb-a91b-64f542f10737; spec: /tmp/svcspec_0g9aitb9

Get service 9913dd5a-29d9-4944-9023-b36a7f3f9aab

Update service 9913dd5a-29d9-4944-9023-b36a7f3f9aab; spec: /tmp/svcspec_p3wa5u5o

Get service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.vsphere.client

Don't update service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.vsphere.client

Get service 083c382b-410e-4068-8f3f-46a6f384aabb_kv

Update service 083c382b-410e-4068-8f3f-46a6f384aabb_kv; spec: /tmp/svcspec_9_qw87q7

Get service a7b5290e-bdab-4b5f-835e-0e72025aec34

Update service a7b5290e-bdab-4b5f-835e-0e72025aec34; spec: /tmp/svcspec_z6vwsink

Get service 95d64ba2-42e2-41eb-a999-9b5b529c59c8

Update service 95d64ba2-42e2-41eb-a999-9b5b529c59c8; spec: /tmp/svcspec_impoxn0n

Get service af5ed366-41cf-42d0-8e4f-beae28ec85f1

Update service af5ed366-41cf-42d0-8e4f-beae28ec85f1; spec: /tmp/svcspec_1yg0oc6w

Get service f3163235-3656-4761-84aa-47f62508af07

Update service f3163235-3656-4761-84aa-47f62508af07; spec: /tmp/svcspec_0ovp2qfp

Get service c2c8bdc3-d12f-4ba4-9d46-ae02a3c84422

Don't update service c2c8bdc3-d12f-4ba4-9d46-ae02a3c84422

Get service 41c3a8d4-6fc2-4681-8ea2-11c04e38251d

Update service 41c3a8d4-6fc2-4681-8ea2-11c04e38251d; spec: /tmp/svcspec_lbsneeph

Get service 93aa8809-30dc-4420-ad6f-992274b208fc

Update service 93aa8809-30dc-4420-ad6f-992274b208fc; spec: /tmp/svcspec__dpslmx_

Get service d34464b3-8d33-4666-952b-12f86993dff9

Update service d34464b3-8d33-4666-952b-12f86993dff9; spec: /tmp/svcspec_ix7p0ix2

Get service 59be3a84-a8d1-43f7-a438-f96b05cd293f

Update service 59be3a84-a8d1-43f7-a438-f96b05cd293f; spec: /tmp/svcspec_fzr_0wzy

Get service b5857733-e43c-45a2-9eea-ffe828e342e5

Update service b5857733-e43c-45a2-9eea-ffe828e342e5; spec: /tmp/svcspec_13838hnp

Get service f4476059-f338-49e0-b593-bdbed7924b9f

Update service f4476059-f338-49e0-b593-bdbed7924b9f; spec: /tmp/svcspec_heu48h53

Get service 5cd17d52-143e-4f94-bdc9-460395aa2788

Update service 5cd17d52-143e-4f94-bdc9-460395aa2788; spec: /tmp/svcspec_h44reiwc

Get service eb4088cb-587c-462f-ae74-dee39ecd2d81

Update service eb4088cb-587c-462f-ae74-dee39ecd2d81; spec: /tmp/svcspec_n3bn7nac

Get service 77a8311e-f84b-4f6a-85af-5aad7410d07f

Update service 77a8311e-f84b-4f6a-85af-5aad7410d07f; spec: /tmp/svcspec_4uagg_qw

Get service 961ed673-2103-4389-a3ff-15fe1136c1c8

Update service 961ed673-2103-4389-a3ff-15fe1136c1c8; spec: /tmp/svcspec_ama3feqa

Get service dbc775d9-a14d-4c52-ab0f-04adc7f4e64e

Update service dbc775d9-a14d-4c52-ab0f-04adc7f4e64e; spec: /tmp/svcspec_s28drpmn

Get service 510feef8-19c7-4a8e-8b6f-81b20b391338

Update service 510feef8-19c7-4a8e-8b6f-81b20b391338; spec: /tmp/svcspec_n3phr010

Get service c4e34b09-0335-470e-a2cd-3fc032957b4c

Update service c4e34b09-0335-470e-a2cd-3fc032957b4c; spec: /tmp/svcspec_ffb4f7ea

Get service 721a3bc4-ecc8-4e0e-8403-1fd44e84e8cc

Update service 721a3bc4-ecc8-4e0e-8403-1fd44e84e8cc; spec: /tmp/svcspec_g2yil2u2

Get service 5989812c-590d-44cb-bc3a-8172ea0fa85f

Update service 5989812c-590d-44cb-bc3a-8172ea0fa85f; spec: /tmp/svcspec_57e17tya

Get service 083c382b-410e-4068-8f3f-46a6f384aabb

Update service 083c382b-410e-4068-8f3f-46a6f384aabb; spec: /tmp/svcspec_5l0hyjrf

Get service 5445743e-ca86-4e7a-85fc-106198e3a590

Update service 5445743e-ca86-4e7a-85fc-106198e3a590; spec: /tmp/svcspec_jqs60mmd

Get service 471ca192-a964-4346-9f1b-8a89c9684567

Update service 471ca192-a964-4346-9f1b-8a89c9684567; spec: /tmp/svcspec_x4joob3k

Get service eafc231a-0493-4d9f-9351-99c204ffc715

Update service eafc231a-0493-4d9f-9351-99c204ffc715; spec: /tmp/svcspec_j1ln95s5

Get service bf973dfe-0161-4543-befc-04fc23d1a1d1

Update service bf973dfe-0161-4543-befc-04fc23d1a1d1; spec: /tmp/svcspec_f6ia8c_t

Get service 7a5d1b63-e0f6-4eb1-8c99-2d1ffabf278b

Update service 7a5d1b63-e0f6-4eb1-8c99-2d1ffabf278b; spec: /tmp/svcspec_udegb3_c

Get service a3695900-ee1c-4494-9f2b-351b963cffa3

Update service a3695900-ee1c-4494-9f2b-351b963cffa3; spec: /tmp/svcspec_3456cofm

Get service 5b00a6a9-efa7-4844-8144-4b1e5f9d3fcc

Update service 5b00a6a9-efa7-4844-8144-4b1e5f9d3fcc; spec: /tmp/svcspec_akqdsizn

Get service 29f0ad2a-2d18-4744-8cdb-31b50764cbee

Update service 29f0ad2a-2d18-4744-8cdb-31b50764cbee; spec: /tmp/svcspec_482hrta2

Get service 29cbc4aa-8893-4922-afff-649cc25a6423

Update service 29cbc4aa-8893-4922-afff-649cc25a6423; spec: /tmp/svcspec_3hrq76o2

Get service 10e1363e-ef1d-47f0-b0b6-6cab7e37d144

Update service 10e1363e-ef1d-47f0-b0b6-6cab7e37d144; spec: /tmp/svcspec_7zpp8yk9

Get service b7ef48d7-c124-45e8-8d22-b850349027e2

Update service b7ef48d7-c124-45e8-8d22-b850349027e2; spec: /tmp/svcspec_1s0nxvd4

Get service 3ab8929e-91c8-42dc-aa31-786c45309610

Update service 3ab8929e-91c8-42dc-aa31-786c45309610; spec: /tmp/svcspec_ti3j2mgb

Get service 77e6dcf0-5007-42ff-b3be-3d496c6dc8b6

Update service 77e6dcf0-5007-42ff-b3be-3d496c6dc8b6; spec: /tmp/svcspec_97989zbp

Get service f55500bf-673b-41aa-bd4f-44cc4db2fe0a

Update service f55500bf-673b-41aa-bd4f-44cc4db2fe0a; spec: /tmp/svcspec_1z9un83v

Get service 083c382b-410e-4068-8f3f-46a6f384aabb_authz

Update service 083c382b-410e-4068-8f3f-46a6f384aabb_authz; spec: /tmp/svcspec_k_f9rf40

Get service 27a701a9-9b7b-4072-9ca8-a6695934395a

Update service 27a701a9-9b7b-4072-9ca8-a6695934395a; spec: /tmp/svcspec_aut8vpy6

Get service 3cc88284-b45c-48cd-8be1-f8d7bf53c2c3

Update service 3cc88284-b45c-48cd-8be1-f8d7bf53c2c3; spec: /tmp/svcspec_fov0u_6x

Get service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.lcm.client

Don't update service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.lcm.client

Get service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.cloud.provider.services.plugin

Don't update service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.cloud.provider.services.plugin

Get service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.vcenter.wcp

Don't update service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.vcenter.wcp

Updated 43 service(s)

Status : 60% Completed [Reset vpxd-extension Cert...]                    

2023-05-10T07:46:56.882Z  Updating certificate for "com.vmware.vim.eam" extension

2023-05-10T07:46:57.296Z  Updating certificate for "com.vmware.rbd" extension

2023-05-10T07:46:57.693Z  Updating certificate for "com.vmware.imagebuilder" extension

Reset status : 100% Completed [Reset completed successfully]        

                  

root@localhost [ ~ ]# service-control --start --all

Operation not cancellable. Please wait for it to finish...

Performing start operation on service lwsmd...

Successfully started service lwsmd

Performing start operation on service vmafdd...

Successfully started service vmafdd

Performing start operation on service vmdird...

Successfully started service vmdird

Performing start operation on service vmcad...

Successfully started service vmcad

Performing start operation on profile: ALL...

Successfully started profile: ALL.

Performing start operation on service observability...

Successfully started service observability

Performing start operation on service vmware-vdtc...

Successfully started service vmware-vdtc

Performing start operation on service vmware-pod...

Service vmware-pod startup type is not automatic. Skip

新证书查看

root@localhost [ ~ ]# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

STORE MACHINE_SSL_CERT

Alias : __MACHINE_CERT

            Not After : May  9 07:33:16 2025 GMT

STORE TRUSTED_ROOTS

Alias : e09cebe9d04da849d3bca621db2ea698fd64e652

            Not After : May  4 07:26:41 2031 GMT

Alias : 0104dc7a7afa5004498ee631992e0e96a88671eb

            Not After : May  4 07:43:15 2033 GMT

STORE TRUSTED_ROOT_CRLS

Alias : 511b76b2e2e6386d2099d9aaf9843d66b1fbc8aa

Alias : 1332df98c6c8aaa33c237fccc5401e27c2abb2e4

STORE machine

Alias : machine

            Not After : May  9 07:36:52 2025 GMT

STORE vsphere-webclient

Alias : vsphere-webclient

            Not After : May  9 07:36:54 2025 GMT

STORE vpxd

Alias : vpxd

            Not After : May  9 07:36:54 2025 GMT

STORE vpxd-extension

Alias : vpxd-extension

            Not After : May  9 07:36:56 2025 GMT

STORE hvc

Alias : hvc

            Not After : May  9 07:36:58 2025 GMT

STORE data-encipherment

Alias : data-encipherment

            Not After : May  4 07:26:41 2031 GMT

STORE APPLMGMT_PASSWORD

STORE SMS

Alias : sms_self_signed

            Not After : May  9 07:31:32 2031 GMT

STORE wcp

Alias : wcp

            Not After : May  9 07:36:58 2025 GMT

STORE BACKUP_STORE

Alias : bkp___MACHINE_CERT

            Not After : May  9 19:26:41 2023 GMT

Alias : bkp_machine

            Not After : May  4 07:26:41 2031 GMT

Alias : bkp_vsphere-webclient

            Not After : May  4 07:26:41 2031 GMT

Alias : bkp_vpxd

            Not After : May  4 07:26:41 2031 GMT

Alias : bkp_vpxd-extension

            Not After : May  4 07:26:41 2031 GMT

Alias : bkp_hvc

            Not After : May  4 07:26:41 2031 GMT

Alias : bkp_wcp

            Not After : May  4 07:26:41 2031 GMT

更新vc  sts证书

从官网下载文件checksts.py          fixsts.sh

使用FTP工具传输到vc tmp文件夹下(可以新建一个文件夹)

使用Xshell工具连接vc

进入tmp文件下  cd /tmp        ls查看文件夹下文件

 运行checksts.py       python  checksts.py

#!/opt/vmware/bin/python


"""
Copyright 2020-2022 VMware, Inc.  All rights reserved. -- VMware Confidential
Author:  Keenan Matheny ([email protected])

"""
##### BEGIN IMPORTS #####

import os
import sys
import json
import subprocess
import re
import pprint
import ssl
from datetime import datetime, timedelta
import textwrap
from codecs import encode, decode
import subprocess
from time import sleep
try:
    # Python 3 hack.
    import urllib.request as urllib2
    import urllib.parse as urlparse
except ImportError:
    import urllib2
    import urlparse

sys.path.append(os.environ['VMWARE_PYTHON_PATH'])
from cis.defaults import def_by_os
sys.path.append(os.path.join(os.environ['VMWARE_CIS_HOME'],
                def_by_os('vmware-vmafd/lib64', 'vmafdd')))
import vmafd
from OpenSSL.crypto import (load_certificate, dump_privatekey, dump_certificate, X509, X509Name, PKey)
from OpenSSL.crypto import (TYPE_DSA, TYPE_RSA, FILETYPE_PEM, FILETYPE_ASN1 )

today = datetime.now()
today = today.strftime("%d-%m-%Y")

vcsa_kblink = "https://kb.vmware.com/s/article/76719"
win_kblink = "https://kb.vmware.com/s/article/79263"

##### END IMPORTS #####

class parseCert( object ):
    # Certificate parsing

    def format_subject_issuer(self, x509name): 
        items = []
        for item in x509name.get_components():
            items.append('%s=%s' %  (decode(item[0],'utf-8'), decode(item[1],'utf-8')))
        return ", ".join(items)

    def format_asn1_date(self, d):
        return datetime.strptime(decode(d,'utf-8'), '%Y%m%d%H%M%SZ').strftime("%Y-%m-%d %H:%M:%S GMT")

    def merge_cert(self, extensions, certificate):
        z = certificate.copy()
        z.update(extensions)
        return z

    def __init__(self, certdata):

        built_cert = certdata
        self.x509 = load_certificate(FILETYPE_PEM, built_cert)
        keytype = self.x509.get_pubkey().type()
        keytype_list = {TYPE_RSA:'rsaEncryption', TYPE_DSA:'dsaEncryption', 408:'id-ecPublicKey'}
        extension_list = ["extendedKeyUsage",
                        "keyUsage",
                        "subjectAltName",
                        "subjectKeyIdentifier",
                        "authorityKeyIdentifier"]
        key_type_str = keytype_list[keytype] if keytype in keytype_list else 'other'

        certificate = {}
        extension = {}
        for i in range(self.x509.get_extension_count()):
            critical = 'critical' if self.x509.get_extension(i).get_critical() else ''

            if decode(self.x509.get_extension(i).get_short_name(),'utf-8') in extension_list:
                extension[decode(self.x509.get_extension(i).get_short_name(),'utf-8')] = self.x509.get_extension(i).__str__()

        certificate = {'Thumbprint': decode(self.x509.digest('sha1'),'utf-8'), 'Version': self.x509.get_version(),
         'SignatureAlg' : decode(self.x509.get_signature_algorithm(),'utf-8'), 'Issuer' :self.format_subject_issuer(self.x509.get_issuer()), 
         'Valid From' : self.format_asn1_date(self.x509.get_notBefore()), 'Valid Until' : self.format_asn1_date(self.x509.get_notAfter()),
         'Subject' : self.format_subject_issuer(self.x509.get_subject())}
        
        combined = self.merge_cert(extension,certificate)
        cert_output = json.dumps(combined)

        self.subjectAltName = combined.get('subjectAltName')
        self.subject = combined.get('Subject')
        self.validfrom = combined.get('Valid From')
        self.validuntil = combined.get('Valid Until')
        self.thumbprint = combined.get('Thumbprint')
        self.subjectkey = combined.get('subjectKeyIdentifier')
        self.authkey = combined.get('authorityKeyIdentifier')
        self.combined = combined

class parseSts( object ):

    def __init__(self):
        self.processed = []
        self.results = {}
        self.results['expired'] = {}
        self.results['expired']['root'] = []
        self.results['expired']['leaf'] = []
        self.results['valid'] = {}
        self.results['valid']['root'] = []
        self.results['valid']['leaf'] = []

    def get_certs(self,force_refresh):
        urllib2.getproxies = lambda: {}
        vmafd_client = vmafd.client('localhost')
        domain_name = vmafd_client.GetDomainName()

        dc_name = vmafd_client.GetAffinitizedDC(domain_name, force_refresh)
        if vmafd_client.GetPNID() == dc_name:
            url = (
                'http://localhost:7080/idm/tenant/%s/certificates?scope=TENANT'
                % domain_name)
        else:
            url = (
                'https://%s/idm/tenant/%s/certificates?scope=TENANT'
                % (dc_name,domain_name))
        return json.loads(urllib2.urlopen(url).read().decode('utf-8'))

    def check_cert(self,certificate):
        cert = parseCert(certificate)
        certdetail = cert.combined

            #  Attempt to identify what type of certificate it is
        if cert.authkey:
            cert_type = "leaf"
        else:
            cert_type = "root"
        
        #  Try to only process a cert once
        if cert.thumbprint not in self.processed:
            # Date conversion
            self.processed.append(cert.thumbprint)
            exp = cert.validuntil.split()[0]
            conv_exp = datetime.strptime(exp, '%Y-%m-%d')
            exp = datetime.strftime(conv_exp, '%d-%m-%Y')
            now = datetime.strptime(today, '%d-%m-%Y')
            exp_date = datetime.strptime(exp, '%d-%m-%Y')
            
            # Get number of days until it expires
            diff = exp_date - now
            certdetail['daysUntil'] = diff.days

            # Sort expired certs into leafs and roots, put the rest in goodcerts.
            if exp_date <= now:
                self.results['expired'][cert_type].append(certdetail)
            else:
                self.results['valid'][cert_type].append(certdetail)
    
    def execute(self):

        json = self.get_certs(force_refresh=False)
        for item in json:
            for certificate in item['certificates']:
                self.check_cert(certificate['encoded'])
        return self.results

def main():

    warning = False
    warningmsg = '''
    WARNING! 
    You have expired STS certificates.  Please follow the KB corresponding to your OS:
    VCSA:  %s
    Windows:  %s
    ''' % (vcsa_kblink, win_kblink)
    parse_sts = parseSts()
    results = parse_sts.execute()
    valid_count = len(results['valid']['leaf']) + len(results['valid']['root'])
    expired_count = len(results['expired']['leaf']) + len(results['expired']['root'])
          
    
    #### Display Valid ####
    print("\n%s VALID CERTS\n================" % valid_count)
    print("\n\tLEAF CERTS:\n")
    if len(results['valid']['leaf']) > 0:
        for cert in results['valid']['leaf']:
            print("\t[] Certificate %s will expire in %s days (%s years)." % (cert['Thumbprint'], cert['daysUntil'], round(cert['daysUntil']/365)))
    else:
        print("\tNone")
    print("\n\tROOT CERTS:\n")
    if len(results['valid']['root']) > 0:
        for cert in results['valid']['root']:
            print("\t[] Certificate %s will expire in %s days (%s years)." % (cert['Thumbprint'], cert['daysUntil'], round(cert['daysUntil']/365)))
    else:
        print("\tNone")


    #### Display expired ####
    print("\n%s EXPIRED CERTS\n================" % expired_count)
    print("\n\tLEAF CERTS:\n")
    if len(results['expired']['leaf']) > 0:
        for cert in results['expired']['leaf']:
            print("\t[] Certificate: %s expired on %s!" % (cert.get('Thumbprint'),cert.get('Valid Until')))
            continue
    else:
        print("\tNone")

    print("\n\tROOT CERTS:\n")
    if len(results['expired']['root']) > 0:
        for cert in results['expired']['root']:
            print("\t[] Certificate: %s expired on %s!" % (cert.get('Thumbprint'),cert.get('Valid Until')))
            continue
    else:
        print("\tNone")

    if expired_count > 0:
        print(warningmsg)


if __name__ == '__main__':
    exit(main())

         

运行完可以查看sts证书是否过期,过期时间

附加权限chmod +x fixsts.sh

运行更新文件  ./fixsts.sh,完成后可以登录vc查看证书是否已经更新。

你可能感兴趣的:(服务器,windows,VMware)