Vcenter6.5的证书过期重启服务报错
Vcenter6.5的administrator密码过期重启服务报错
1.通过命令重置administrator密码
/usr/lib/vmware-vmdir/bin/vdcadmintool
选择3 Reset account password
输入UPN:[email protected]
系统会随机生成新密码
2.通过命令查询是否有证书过期
Signing certificate is not valid" error in VCSA 6.5.x,6.7.x or vCenter Server 7.0.x (76719)
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
发现SSL、ROOT_CRLS、machine、webclient、vpxd、extension证书均过期
3.官方下载检查STS证书脚本和修复脚本
附录:Appliance Shell与bash shell切换
chsh -s /bin/bash root //切换到bash shell
chsh -s /bin/appliancesh root //切回到Appliance Shell
chmod +x checksts.py
chmod +x fixsts.sh
./checksts.py
4.执行修复脚本
./fixsts.sh
service-control --stop --all
service-control --start --all
无法启动服务(因为除STS证书其他过期)
5.重置所有证书
要启动 vSphere Certificate Manager,请执行以下命令
vCenter Server Appliance:/usr/lib/vmware-vmca/bin/certificate-manager
选择8
报错无法启动vxpd服务,查询资料
For vCenter Server Appliance (VCSA):
- Take an SSH connection to the affected VCSA machine(s) and execute these commands line by line:
export JAVA_BIN=/usr/java/jre-vmware/bin/java
export CLASSPATH=/opt/vmware/lib64/*:/usr/lib/vmware-sso/commonlib/*
export _SSO_ROOT_CERT_X509=/etc/vmware-sso/keys/ssoserverRoot.crt
export _SSO_SIGNING_LEAF_CERT_X509=/etc/vmware-sso/keys/ssoserverSign.crt
export _SSO_SIGNING_LEAF_CERT_KEY=/etc/vmware-sso/keys/ssoserverSign.key
$JAVA_BIN -cp $CLASSPATH com.vmware.identity.installer.STSInstaller --install --root-cert-path "$_SSO_ROOT_CERT_X509" --cert-path "$_SSO_SIGNING_LEAF_CERT_X509" --private-key-path "$_SSO_SIGNING_LEAF_CERT_KEY"
- After you see the message Successfully installed VMware STS , reboot VCSA to ensure IDM/STS references the changed certificate and to allow the other services (VC, IS, NGC) to pick up this change.
官方KB链接:Logging in to vSphere web client fails with error: The login request has expired due to a clock synchronization issue between vSphere Web Client and vCenter Single Sign-On server (2108379) (vmware.com)
3.然后再次启动 vSphere Certificate Manager,选择选项 8 更新证书。
如果确认STS证书未过期,就直接进行其它证书的更新。
请参考KB,更新vc的其它证书:
VMware Knowledge Base
选择选项 8 进行操作,根据提示,在「Hostname」输入vc的FQDN,在VMCA Name输入与Hostname相同的值(如果是以ip部署的vc,请输入ip地址
再次查询成功续订2年
6.登录页面进行验证
vSphere - DSBJvCenter - 摘要
7.删除备份证书
CertificateStatusAlarm - 存在已过期或即将过期的证书/VMware vCenter Server 上触发证书状态更改警报 (68171)
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias bkp___MACHINE_CERT -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias bkp_machine -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias bkp_vsphere-webclient -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias bkp_vpxd -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias bkp_vpxd-extension -y
8.删除store
/usr/lib/vmware-vmafd/bin/vecs-cli store delete --name BACKUP_STORE -y
查看store
/usr/lib/vmware-vmafd/bin/vecs-cli store list
9.登录Web页面管理认证
https://10.22.4.50/psc/#?extensionId=psc.core.home
https://10.22.4.50/psc
日志文件位置:
- vSphere Certificate Manager 将 certificate-manager.log 文件存储在以下位置:
- Windows vCenter Server 6.x:C:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log
- vCenter Server Appliance 6.x/7.x:/var/log/vmware/vmcad/certificate-manager.log
- certool.cfg 文件位于:
C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg
- vCenter Server Appliance 和 Platform Services Controller 设备中的配置文件位置:
- vCenter Server Appliance:/usr/lib/vmware-vmca/share/config/certool.cfg
- Platform Services Controller 设备:/usr/lib/vmware-vmca/share/config/certool.cfg
通过wincp 的scp上传脚本文件到psc和vc appliance时,会报错:
Host is not communicating for more than 15 seconds. If the problem repeats, try turning off ‘Optimize connection buffer size’.
可切换到bash shell后再次连接即可。
官方KB链接:CertificateStatusAlarm - 存在已过期或即将过期的证书/VMware vCenter Server 上触发证书状态更改警报 (68171)
Verify and resolve expired vCenter Server certificates using command line
VMware Knowledge Base
官方检查VMware Knowledge Base
如何使用 vSphere Certificate Manager 替换 SSL 证书 (2097936) (vmware.com)