VMware集群不可访问 证书到期

已于 2023-05-25 09:29:22 修改
阅读量5.1k 收藏 1
点赞数 3
文章标签: 服务器 windows VMware
于 2023-05-10 16:27:24 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/cojn52/article/details/130604032
版权

报错:

HTTP状态 500 - 内部服务器错误 

原因:service-control --start vmware-vpxd 启动不了

查看内部原因是证书到期

root@localhost [ ~ ]# service-control --start vmware-vpxd

peration not cancellable. Please wait for it to finish...

Performing start operation on service vpxd...

Error executing start on service vpxd. Details {

  "resolution"null,

  "detail": [

  {

  "translatable""An error occurred while starting service '%(0)s'",

  "localized""An error occurred while starting service 'vpxd'",

  "args": [

  "vpxd"

  ],

  "id""install.ciscommon.service.failstart"

  }

  ],

  "problemId"null,

  "componentKey"null

}

Service-control failed. Error: {

  "resolution"null,

  "detail": [

  {

  "translatable""An error occurred while starting service '%(0)s'",

  "localized""An error occurred while starting service 'vpxd'",

  "args": [

  "vpxd"

  ],

  "id""install.ciscommon.service.failstart"

  }

  ],

  "problemId"null,

  "componentKey"null

}

cat /var/log/vmware/sca/sca.log

om.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted 

登录vc查看

root@localhost [ ~ ]# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

STORE MACHINE_SSL_CERT

Alias : __MACHINE_CERT

            Not After : May  9 07:33:16 2023 GMT

STORE TRUSTED_ROOTS

Alias : e09cebe9d04da849d3bca621db2ea698fd64e652

            Not After : May  4 07:26:41 2023 GMT

Alias : 0104dc7a7afa5004498ee631992e0e96a88671eb

            Not After : May  4 07:43:15 2023 GMT

STORE TRUSTED_ROOT_CRLS

Alias : 511b76b2e2e6386d2099d9aaf9843d66b1fbc8aa

Alias : 1332df98c6c8aaa33c237fccc5401e27c2abb2e4

STORE machine

Alias : machine

            Not After : May  9 07:36:52 2023 GMT

STORE vsphere-webclient

Alias : vsphere-webclient

            Not After : May  9 07:36:54 2023 GMT

STORE vpxd

Alias : vpxd

            Not After : May  9 07:36:54 2023 GMT

STORE vpxd-extension

Alias : vpxd-extension

            Not After : May  9 07:36:56 2023 GMT

STORE hvc

Alias : hvc

            Not After : May  9 07:36:58 2023 GMT

STORE data-encipherment

Alias : data-encipherment

            Not After : May  4 07:26:41 2023 GMT

STORE APPLMGMT_PASSWORD

STORE SMS

Alias : sms_self_signed

            Not After : May  9 07:31:32 2023 GMT

STORE wcp

Alias : wcp

            Not After : May  9 07:36:58 2023 GMT

STORE BACKUP_STORE

Alias : bkp___MACHINE_CERT

            Not After : May  9 19:26:41 2023 GMT

Alias : bkp_machine

            Not After : May  4 07:26:41 2033 GMT

Alias : bkp_vsphere-webclient

            Not After : May  4 07:26:41 2023 GMT

Alias : bkp_vpxd

            Not After : May  4 07:26:41 2023 GMT

Alias : bkp_vpxd-extension

            Not After : May  4 07:26:41 2023 GMT

Alias : bkp_hvc

            Not After : May  4 07:26:41 2023 GMT

Alias : bkp_wcp

            Not After : May  4 07:26:41 2023 GMT

处理过程:

root@localhost [ ~ ]#  /usr/lib/vmware-vmca/bin/certificate-manager

         _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

        |                                                                     |

        |      *** Welcome to the vSphere 6.8 Certificate Manager  ***        |

        |                                                                     |

        |                   -- Select Operation --                            |

        |                                                                     |

        |      1. Replace Machine SSL certificate with Custom Certificate     |

        |                                                                     |

        |      2. Replace VMCA Root certificate with Custom Signing           |

        |         Certificate and replace all Certificates                    |

        |                                                                     |

        |      3. Replace Machine SSL certificate with VMCA Certificate       |

        |                                                                     |

        |      4. Regenerate a new VMCA Root Certificate and                  |

        |         replace all certificates                                    |

        |                                                                     |

        |      5. Replace Solution user certificates with                     |

        |         Custom Certificate                                          |

        |         NOTE: Solution user certs will be deprecated in a future    |

        |         release of vCenter. Refer to release notes for more details.|

        |                                                                     |

        |      6. Replace Solution user certificates with VMCA certificates   |

        |                                                                     |

        |      7. Revert last performed operation by re-publishing old        |

        |         certificates                                                |

        |                                                                     |

        |      8. Reset all Certificates                                      |

        |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|

Note : Use Ctrl-D to exit.

Option[1 to 8]: 8

Do you wish to generate all certificates using configuration file : Option[Y/N] ? : Y

Please provide valid SSO and VC privileged user credential to perform certificate operations.

Enter username [Administrator@vsphere.local]:

Enter password:

Please configure certool.cfg with proper values before proceeding to next step.

Press Enter key to skip optional parameters or use Default value.

Enter proper value for 'Country' [Default value : US] :

Enter proper value for 'Name' [Default value : CA] :

Enter proper value for 'Organization' [Default value : VMware] :

Enter proper value for 'OrgUnit' [Default value : VMware Engineering] :

Enter proper value for 'State' [Default value : California] :

Enter proper value for 'Locality' [Default value : Palo Alto] :

Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 10.10.10.10

Enter proper value for 'Email' [Default value : email@acme.com] :

Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vsphere.local

Enter proper value for VMCA 'Name' :vsphere.local

Continue operation : Option[Y/N] ? : Y

You are going to reset by regenerating Root Certificate and replace all certificates using VMCA

Continue operation : Option[Y/N] ? : Y

Get site nameCompleted [Reset Machine SSL Cert...]                 

default-site

Lookup all services

Get service default-site:8d7d9dfe-a8a5-4239-98dd-11450c29e372

Update service default-site:8d7d9dfe-a8a5-4239-98dd-11450c29e372; spec: /tmp/svcspec_ofokwzjb

Get service default-site:7cce27d9-2054-42de-88d0-18e6dda92974

Update service default-site:7cce27d9-2054-42de-88d0-18e6dda92974; spec: /tmp/svcspec_o33jb36v

Get service default-site:b2989b91-cc7f-46fc-9329-51633c227544

Update service default-site:b2989b91-cc7f-46fc-9329-51633c227544; spec: /tmp/svcspec_hg_3lbrr

Get service 215a0ae7-f36c-4feb-a91b-64f542f10737

Update service 215a0ae7-f36c-4feb-a91b-64f542f10737; spec: /tmp/svcspec_0g9aitb9

Get service 9913dd5a-29d9-4944-9023-b36a7f3f9aab

Update service 9913dd5a-29d9-4944-9023-b36a7f3f9aab; spec: /tmp/svcspec_p3wa5u5o

Get service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.vsphere.client

Don't update service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.vsphere.client

Get service 083c382b-410e-4068-8f3f-46a6f384aabb_kv

Update service 083c382b-410e-4068-8f3f-46a6f384aabb_kv; spec: /tmp/svcspec_9_qw87q7

Get service a7b5290e-bdab-4b5f-835e-0e72025aec34

Update service a7b5290e-bdab-4b5f-835e-0e72025aec34; spec: /tmp/svcspec_z6vwsink

Get service 95d64ba2-42e2-41eb-a999-9b5b529c59c8

Update service 95d64ba2-42e2-41eb-a999-9b5b529c59c8; spec: /tmp/svcspec_impoxn0n

Get service af5ed366-41cf-42d0-8e4f-beae28ec85f1

Update service af5ed366-41cf-42d0-8e4f-beae28ec85f1; spec: /tmp/svcspec_1yg0oc6w

Get service f3163235-3656-4761-84aa-47f62508af07

Update service f3163235-3656-4761-84aa-47f62508af07; spec: /tmp/svcspec_0ovp2qfp

Get service c2c8bdc3-d12f-4ba4-9d46-ae02a3c84422

Don't update service c2c8bdc3-d12f-4ba4-9d46-ae02a3c84422

Get service 41c3a8d4-6fc2-4681-8ea2-11c04e38251d

Update service 41c3a8d4-6fc2-4681-8ea2-11c04e38251d; spec: /tmp/svcspec_lbsneeph

Get service 93aa8809-30dc-4420-ad6f-992274b208fc

Update service 93aa8809-30dc-4420-ad6f-992274b208fc; spec: /tmp/svcspec__dpslmx_

Get service d34464b3-8d33-4666-952b-12f86993dff9

Update service d34464b3-8d33-4666-952b-12f86993dff9; spec: /tmp/svcspec_ix7p0ix2

Get service 59be3a84-a8d1-43f7-a438-f96b05cd293f

Update service 59be3a84-a8d1-43f7-a438-f96b05cd293f; spec: /tmp/svcspec_fzr_0wzy

Get service b5857733-e43c-45a2-9eea-ffe828e342e5

Update service b5857733-e43c-45a2-9eea-ffe828e342e5; spec: /tmp/svcspec_13838hnp

Get service f4476059-f338-49e0-b593-bdbed7924b9f

Update service f4476059-f338-49e0-b593-bdbed7924b9f; spec: /tmp/svcspec_heu48h53

Get service 5cd17d52-143e-4f94-bdc9-460395aa2788

Update service 5cd17d52-143e-4f94-bdc9-460395aa2788; spec: /tmp/svcspec_h44reiwc

Get service eb4088cb-587c-462f-ae74-dee39ecd2d81

Update service eb4088cb-587c-462f-ae74-dee39ecd2d81; spec: /tmp/svcspec_n3bn7nac

Get service 77a8311e-f84b-4f6a-85af-5aad7410d07f

Update service 77a8311e-f84b-4f6a-85af-5aad7410d07f; spec: /tmp/svcspec_4uagg_qw

Get service 961ed673-2103-4389-a3ff-15fe1136c1c8

Update service 961ed673-2103-4389-a3ff-15fe1136c1c8; spec: /tmp/svcspec_ama3feqa

Get service dbc775d9-a14d-4c52-ab0f-04adc7f4e64e

Update service dbc775d9-a14d-4c52-ab0f-04adc7f4e64e; spec: /tmp/svcspec_s28drpmn

Get service 510feef8-19c7-4a8e-8b6f-81b20b391338

Update service 510feef8-19c7-4a8e-8b6f-81b20b391338; spec: /tmp/svcspec_n3phr010

Get service c4e34b09-0335-470e-a2cd-3fc032957b4c

Update service c4e34b09-0335-470e-a2cd-3fc032957b4c; spec: /tmp/svcspec_ffb4f7ea

Get service 721a3bc4-ecc8-4e0e-8403-1fd44e84e8cc

Update service 721a3bc4-ecc8-4e0e-8403-1fd44e84e8cc; spec: /tmp/svcspec_g2yil2u2

Get service 5989812c-590d-44cb-bc3a-8172ea0fa85f

Update service 5989812c-590d-44cb-bc3a-8172ea0fa85f; spec: /tmp/svcspec_57e17tya

Get service 083c382b-410e-4068-8f3f-46a6f384aabb

Update service 083c382b-410e-4068-8f3f-46a6f384aabb; spec: /tmp/svcspec_5l0hyjrf

Get service 5445743e-ca86-4e7a-85fc-106198e3a590

Update service 5445743e-ca86-4e7a-85fc-106198e3a590; spec: /tmp/svcspec_jqs60mmd

Get service 471ca192-a964-4346-9f1b-8a89c9684567

Update service 471ca192-a964-4346-9f1b-8a89c9684567; spec: /tmp/svcspec_x4joob3k

Get service eafc231a-0493-4d9f-9351-99c204ffc715

Update service eafc231a-0493-4d9f-9351-99c204ffc715; spec: /tmp/svcspec_j1ln95s5

Get service bf973dfe-0161-4543-befc-04fc23d1a1d1

Update service bf973dfe-0161-4543-befc-04fc23d1a1d1; spec: /tmp/svcspec_f6ia8c_t

Get service 7a5d1b63-e0f6-4eb1-8c99-2d1ffabf278b

Update service 7a5d1b63-e0f6-4eb1-8c99-2d1ffabf278b; spec: /tmp/svcspec_udegb3_c

Get service a3695900-ee1c-4494-9f2b-351b963cffa3

Update service a3695900-ee1c-4494-9f2b-351b963cffa3; spec: /tmp/svcspec_3456cofm

Get service 5b00a6a9-efa7-4844-8144-4b1e5f9d3fcc

Update service 5b00a6a9-efa7-4844-8144-4b1e5f9d3fcc; spec: /tmp/svcspec_akqdsizn

Get service 29f0ad2a-2d18-4744-8cdb-31b50764cbee

Update service 29f0ad2a-2d18-4744-8cdb-31b50764cbee; spec: /tmp/svcspec_482hrta2

Get service 29cbc4aa-8893-4922-afff-649cc25a6423

Update service 29cbc4aa-8893-4922-afff-649cc25a6423; spec: /tmp/svcspec_3hrq76o2

Get service 10e1363e-ef1d-47f0-b0b6-6cab7e37d144

Update service 10e1363e-ef1d-47f0-b0b6-6cab7e37d144; spec: /tmp/svcspec_7zpp8yk9

Get service b7ef48d7-c124-45e8-8d22-b850349027e2

Update service b7ef48d7-c124-45e8-8d22-b850349027e2; spec: /tmp/svcspec_1s0nxvd4

Get service 3ab8929e-91c8-42dc-aa31-786c45309610

Update service 3ab8929e-91c8-42dc-aa31-786c45309610; spec: /tmp/svcspec_ti3j2mgb

Get service 77e6dcf0-5007-42ff-b3be-3d496c6dc8b6

Update service 77e6dcf0-5007-42ff-b3be-3d496c6dc8b6; spec: /tmp/svcspec_97989zbp

Get service f55500bf-673b-41aa-bd4f-44cc4db2fe0a

Update service f55500bf-673b-41aa-bd4f-44cc4db2fe0a; spec: /tmp/svcspec_1z9un83v

Get service 083c382b-410e-4068-8f3f-46a6f384aabb_authz

Update service 083c382b-410e-4068-8f3f-46a6f384aabb_authz; spec: /tmp/svcspec_k_f9rf40

Get service 27a701a9-9b7b-4072-9ca8-a6695934395a

Update service 27a701a9-9b7b-4072-9ca8-a6695934395a; spec: /tmp/svcspec_aut8vpy6

Get service 3cc88284-b45c-48cd-8be1-f8d7bf53c2c3

Update service 3cc88284-b45c-48cd-8be1-f8d7bf53c2c3; spec: /tmp/svcspec_fov0u_6x

Get service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.lcm.client

Don't update service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.lcm.client

Get service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.cloud.provider.services.plugin

Don't update service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.cloud.provider.services.plugin

Get service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.vcenter.wcp

Don't update service f55500bf-673b-41aa-bd4f-44cc4db2fe0a_com.vmware.vcenter.wcp

Updated 43 service(s)

Status : 60% Completed [Reset vpxd-extension Cert...]                    

2023-05-10T07:46:56.882Z  Updating certificate for "com.vmware.vim.eam" extension

2023-05-10T07:46:57.296Z  Updating certificate for "com.vmware.rbd" extension

2023-05-10T07:46:57.693Z  Updating certificate for "com.vmware.imagebuilder" extension

Reset status : 100% Completed [Reset completed successfully]        

                  

root@localhost [ ~ ]# service-control --start --all

Operation not cancellable. Please wait for it to finish...

Performing start operation on service lwsmd...

Successfully started service lwsmd

Performing start operation on service vmafdd...

Successfully started service vmafdd

Performing start operation on service vmdird...

Successfully started service vmdird

Performing start operation on service vmcad...

Successfully started service vmcad

Performing start operation on profile: ALL...

Successfully started profile: ALL.

Performing start operation on service observability...

Successfully started service observability

Performing start operation on service vmware-vdtc...

Successfully started service vmware-vdtc

Performing start operation on service vmware-pod...

Service vmware-pod startup type is not automatic. Skip

新证书查看

root@localhost [ ~ ]# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

STORE MACHINE_SSL_CERT

Alias : __MACHINE_CERT

            Not After : May  9 07:33:16 2025 GMT

STORE TRUSTED_ROOTS

Alias : e09cebe9d04da849d3bca621db2ea698fd64e652

            Not After : May  4 07:26:41 2031 GMT

Alias : 0104dc7a7afa5004498ee631992e0e96a88671eb

            Not After : May  4 07:43:15 2033 GMT

STORE TRUSTED_ROOT_CRLS

Alias : 511b76b2e2e6386d2099d9aaf9843d66b1fbc8aa

Alias : 1332df98c6c8aaa33c237fccc5401e27c2abb2e4

STORE machine

Alias : machine

            Not After : May  9 07:36:52 2025 GMT

STORE vsphere-webclient

Alias : vsphere-webclient

            Not After : May  9 07:36:54 2025 GMT

STORE vpxd

Alias : vpxd

            Not After : May  9 07:36:54 2025 GMT

STORE vpxd-extension

Alias : vpxd-extension

            Not After : May  9 07:36:56 2025 GMT

STORE hvc

Alias : hvc

            Not After : May  9 07:36:58 2025 GMT

STORE data-encipherment

Alias : data-encipherment

            Not After : May  4 07:26:41 2031 GMT

STORE APPLMGMT_PASSWORD

STORE SMS

Alias : sms_self_signed

            Not After : May  9 07:31:32 2031 GMT

STORE wcp

Alias : wcp

            Not After : May  9 07:36:58 2025 GMT

STORE BACKUP_STORE

Alias : bkp___MACHINE_CERT

            Not After : May  9 19:26:41 2023 GMT

Alias : bkp_machine

            Not After : May  4 07:26:41 2031 GMT

Alias : bkp_vsphere-webclient

            Not After : May  4 07:26:41 2031 GMT

Alias : bkp_vpxd

            Not After : May  4 07:26:41 2031 GMT

Alias : bkp_vpxd-extension

            Not After : May  4 07:26:41 2031 GMT

Alias : bkp_hvc

            Not After : May  4 07:26:41 2031 GMT

Alias : bkp_wcp

            Not After : May  4 07:26:41 2031 GMT

更新vc  sts证书

从官网下载文件checksts.py          fixsts.sh

使用FTP工具传输到vc tmp文件夹下(可以新建一个文件夹)

使用Xshell工具连接vc

进入tmp文件下  cd /tmp        ls查看文件夹下文件

 运行checksts.py       python  checksts.py

#!/opt/vmware/bin/python


"""
Copyright 2020-2022 VMware, Inc.  All rights reserved. -- VMware Confidential
Author:  Keenan Matheny (keenanm@vmware.com)

"""
##### BEGIN IMPORTS #####

import os
import sys
import json
import subprocess
import re
import pprint
import ssl
from datetime import datetime, timedelta
import textwrap
from codecs import encode, decode
import subprocess
from time import sleep
try:
    # Python 3 hack.
    import urllib.request as urllib2
    import urllib.parse as urlparse
except ImportError:
    import urllib2
    import urlparse

sys.path.append(os.environ['VMWARE_PYTHON_PATH'])
from cis.defaults import def_by_os
sys.path.append(os.path.join(os.environ['VMWARE_CIS_HOME'],
                def_by_os('vmware-vmafd/lib64', 'vmafdd')))
import vmafd
from OpenSSL.crypto import (load_certificate, dump_privatekey, dump_certificate, X509, X509Name, PKey)
from OpenSSL.crypto import (TYPE_DSA, TYPE_RSA, FILETYPE_PEM, FILETYPE_ASN1 )

today = datetime.now()
today = today.strftime("%d-%m-%Y")

vcsa_kblink = "https://kb.vmware.com/s/article/76719"
win_kblink = "https://kb.vmware.com/s/article/79263"

##### END IMPORTS #####

class parseCert( object ):
    # Certificate parsing

    def format_subject_issuer(self, x509name): 
        items = []
        for item in x509name.get_components():
            items.append('%s=%s' %  (decode(item[0],'utf-8'), decode(item[1],'utf-8')))
        return ", ".join(items)

    def format_asn1_date(self, d):
        return datetime.strptime(decode(d,'utf-8'), '%Y%m%d%H%M%SZ').strftime("%Y-%m-%d %H:%M:%S GMT")

    def merge_cert(self, extensions, certificate):
        z = certificate.copy()
        z.update(extensions)
        return z

    def __init__(self, certdata):

        built_cert = certdata
        self.x509 = load_certificate(FILETYPE_PEM, built_cert)
        keytype = self.x509.get_pubkey().type()
        keytype_list = {TYPE_RSA:'rsaEncryption', TYPE_DSA:'dsaEncryption', 408:'id-ecPublicKey'}
        extension_list = ["extendedKeyUsage",
                        "keyUsage",
                        "subjectAltName",
                        "subjectKeyIdentifier",
                        "authorityKeyIdentifier"]
        key_type_str = keytype_list[keytype] if keytype in keytype_list else 'other'

        certificate = {}
        extension = {}
        for i in range(self.x509.get_extension_count()):
            critical = 'critical' if self.x509.get_extension(i).get_critical() else ''

            if decode(self.x509.get_extension(i).get_short_name(),'utf-8') in extension_list:
                extension[decode(self.x509.get_extension(i).get_short_name(),'utf-8')] = self.x509.get_extension(i).__str__()

        certificate = {'Thumbprint': decode(self.x509.digest('sha1'),'utf-8'), 'Version': self.x509.get_version(),
         'SignatureAlg' : decode(self.x509.get_signature_algorithm(),'utf-8'), 'Issuer' :self.format_subject_issuer(self.x509.get_issuer()), 
         'Valid From' : self.format_asn1_date(self.x509.get_notBefore()), 'Valid Until' : self.format_asn1_date(self.x509.get_notAfter()),
         'Subject' : self.format_subject_issuer(self.x509.get_subject())}
        
        combined = self.merge_cert(extension,certificate)
        cert_output = json.dumps(combined)

        self.subjectAltName = combined.get('subjectAltName')
        self.subject = combined.get('Subject')
        self.validfrom = combined.get('Valid From')
        self.validuntil = combined.get('Valid Until')
        self.thumbprint = combined.get('Thumbprint')
        self.subjectkey = combined.get('subjectKeyIdentifier')
        self.authkey = combined.get('authorityKeyIdentifier')
        self.combined = combined

class parseSts( object ):

    def __init__(self):
        self.processed = []
        self.results = {}
        self.results['expired'] = {}
        self.results['expired']['root'] = []
        self.results['expired']['leaf'] = []
        self.results['valid'] = {}
        self.results['valid']['root'] = []
        self.results['valid']['leaf'] = []

    def get_certs(self,force_refresh):
        urllib2.getproxies = lambda: {}
        vmafd_client = vmafd.client('localhost')
        domain_name = vmafd_client.GetDomainName()

        dc_name = vmafd_client.GetAffinitizedDC(domain_name, force_refresh)
        if vmafd_client.GetPNID() == dc_name:
            url = (
                'http://localhost:7080/idm/tenant/%s/certificates?scope=TENANT'
                % domain_name)
        else:
            url = (
                'https://%s/idm/tenant/%s/certificates?scope=TENANT'
                % (dc_name,domain_name))
        return json.loads(urllib2.urlopen(url).read().decode('utf-8'))

    def check_cert(self,certificate):
        cert = parseCert(certificate)
        certdetail = cert.combined

            #  Attempt to identify what type of certificate it is
        if cert.authkey:
            cert_type = "leaf"
        else:
            cert_type = "root"
        
        #  Try to only process a cert once
        if cert.thumbprint not in self.processed:
            # Date conversion
            self.processed.append(cert.thumbprint)
            exp = cert.validuntil.split()[0]
            conv_exp = datetime.strptime(exp, '%Y-%m-%d')
            exp = datetime.strftime(conv_exp, '%d-%m-%Y')
            now = datetime.strptime(today, '%d-%m-%Y')
            exp_date = datetime.strptime(exp, '%d-%m-%Y')
            
            # Get number of days until it expires
            diff = exp_date - now
            certdetail['daysUntil'] = diff.days

            # Sort expired certs into leafs and roots, put the rest in goodcerts.
            if exp_date <= now:
                self.results['expired'][cert_type].append(certdetail)
            else:
                self.results['valid'][cert_type].append(certdetail)
    
    def execute(self):

        json = self.get_certs(force_refresh=False)
        for item in json:
            for certificate in item['certificates']:
                self.check_cert(certificate['encoded'])
        return self.results

def main():

    warning = False
    warningmsg = '''
    WARNING! 
    You have expired STS certificates.  Please follow the KB corresponding to your OS:
    VCSA:  %s
    Windows:  %s
    ''' % (vcsa_kblink, win_kblink)
    parse_sts = parseSts()
    results = parse_sts.execute()
    valid_count = len(results['valid']['leaf']) + len(results['valid']['root'])
    expired_count = len(results['expired']['leaf']) + len(results['expired']['root'])
          
    
    #### Display Valid ####
    print("\n%s VALID CERTS\n================" % valid_count)
    print("\n\tLEAF CERTS:\n")
    if len(results['valid']['leaf']) > 0:
        for cert in results['valid']['leaf']:
            print("\t[] Certificate %s will expire in %s days (%s years)." % (cert['Thumbprint'], cert['daysUntil'], round(cert['daysUntil']/365)))
    else:
        print("\tNone")
    print("\n\tROOT CERTS:\n")
    if len(results['valid']['root']) > 0:
        for cert in results['valid']['root']:
            print("\t[] Certificate %s will expire in %s days (%s years)." % (cert['Thumbprint'], cert['daysUntil'], round(cert['daysUntil']/365)))
    else:
        print("\tNone")


    #### Display expired ####
    print("\n%s EXPIRED CERTS\n================" % expired_count)
    print("\n\tLEAF CERTS:\n")
    if len(results['expired']['leaf']) > 0:
        for cert in results['expired']['leaf']:
            print("\t[] Certificate: %s expired on %s!" % (cert.get('Thumbprint'),cert.get('Valid Until')))
            continue
    else:
        print("\tNone")

    print("\n\tROOT CERTS:\n")
    if len(results['expired']['root']) > 0:
        for cert in results['expired']['root']:
            print("\t[] Certificate: %s expired on %s!" % (cert.get('Thumbprint'),cert.get('Valid Until')))
            continue
    else:
        print("\tNone")

    if expired_count > 0:
        print(warningmsg)


if __name__ == '__main__':
    exit(main())

         

运行完可以查看sts证书是否过期,过期时间

附加权限chmod +x fixsts.sh

运行更新文件  ./fixsts.sh,完成后可以登录vc查看证书是否已经更新。

junior1206
关注
  • 3
    点赞
  • 1
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
VMWARE vcenter服务无法启动
w998179的专栏
03-26 1万+
[02896 error 'win32vpxLdap_win32'] [LDAP Client] Failed to add LDAP entry cn=417f2dfe-2284-46e4-b93c-5f308efad9c7解决方法:https://kb.vmware.com/s/article/21017991. 在 vCenter Server 上,导航到开始&gt;管理工具&gt;ADSI...
VMware vCenter Server 证书过期解决
万物皆可学
07-25 1万+
6.从这个官方页面下载fixsts.sh,懒的话可以直接在/tmp下新建个fixsts.sh脚本文件,将下面的代码复制进去:https://kb.vmware.com/s/article/76719。1.官网下载证书检测文件checksts.py:https://kb.vmware.com/s/article/79248?lang=en_us。3.将checksts.py文件上传到/tmp目录下(懒的话可以直接在/tmp将下面新建个checksts.py文件,将下面代粘贴进去)执行以下命令替换证书配置。
vCenter 证书过期无法登录处理方法
最新发布
weixin_44048054的博客
07-15 447
由于一个或多个 vCenter Server 系统的凭据无效,登录失败: https://xx.xx.xx.xx:xx/sdk”登录vCenter控制台,Alt+F3切换至命令行模式,使用root登录,更改系统时间为过期前时间。更改时间完毕后再刷新VMware vCenter Serverr登录页面后恢复正常,登录系统。然后再次重新登录VMware vCenter Serverr页面,至此处理完毕。续订完毕后再次登录到ssh页面,修改回当前时间,如下。注意:更改时间前建议先做快照,避免风险。
VMware vCenter Server证书过期解决方法
qq_43490217的博客
05-13 3118
Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] :这个值和vCenter Server的主机名一致或者填IP。从结果可知STS未过期。如果STS过期,则执行修复脚本fixsts.sh(https://kb.vmware.com/s/article/76719)。运行脚本./fixsts.sh,会提示输入账户的密码。
VCSA 上的 vmware-vpxd 服务失败,Web端提示503 服务不可用 (503 Service Unavailable)
徐华的博客
01-15 1万+
昨晚VCSA碰到一个很诡异的问题: 使用 vSphere Web Client 连接到 vCenter Server Appliance时失败,提示: 503 服务不可用 (503 Service Unavailable) 无法连接端点 (Failed to connect to endpoint):[N7Vmacore4Http20NamedPipeServiceSpecE:0x00007f975808ee30] _serverNamespace = / action = Allow _pipeNam
一种VMware vCenter证书过期的续期方法
forestqq的博客
12-29 6058
VMware vCenter证书过期,会导致服务器无法正常登录。官网上的指导方法是使用checksts.py检查,使用fixsts.sh进行修复,还可以用/usr/lib/vmware-vmca/bin/certificate-manager证书管理工具来重置所有证书。本文探讨用另一种非命令行的方法来进行续期。
VMware vSphere vCenter 6.5 证书过期无法登录 提示503 Service Unavailable
土牛兄弟的博客
11-14 5473
VMware vSphere vCenter 6.5 证书过期无法登录 提示 503 Service Unavailable 通过VMware\vCenter Server\vmcad\certificate-manager 证书重置解决问题
VC密码正确无法登陆。证书过期。处理。
mgaofeid的博客
09-04 3606
错误提示: 503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x00007fecb000b770] _serverNamespace = / action = Allow _pipeName =/var/run/vmware/vpxd-webserver-pipe) 进入ssh界面 检查chip空间十分正常: root@record [ ~ ]# df -h File
VMware ESXI和vcent部署以及K8S下证书续期的问题
wana19881025的博客
12-15 2337
VMware ESXI6.7部署和加入Vcent进行管理教程,如下网址: https://blog.csdn.net/xujiamin0022016/article/details/103303311/ K8S集群证书续期操作如下: 1、查询是否过期 openssl x509 -in apiserver.crt -noout -text |grep ’ Not ’ 2、查看证书 是否过期 kubeadm alpha certs check-expiration 3、备份 pki cd /etc/k
Vmware vcenter 6.5 证书错误和“由于一个或多个vcenter server系统的凭据无效,登录失败:https://vcsa-ipaddress/sdk“解决办法
weixin_43004238的博客
08-24 7679
vcenter6.5证书过期解决办法,vcenter server系统的凭据无效解决办法
vmware vsphere 6 enterprise plus License key
07-07
产品: VMware vSphere 6 Enterprise Plus : 1 个物理 CPU 已获许可 (每个 CPU 的内核个数不受限制) 许可证密钥: 过期: 从未 产品功能: 不受限制的虚拟 SMP 远程控制台连接的 H.264 VMware 主机的 vCenter 代理...
VMWare中Centos7部署K8S集群
qq_38634504的博客
06-12 2443
这里可能下载不下来,可以在谷歌上面找资源,或者试下浏览器打开这个网站,复制放到新文件,修改文件名为 calico.yaml。这里可能会出现 40s pass或者部署异常,这个和容器的配置有关,看一参考这个。reboot后登录,ping百度、qq等网站,成功则说明配置成功。可能访问不了,得通过特殊工具访问,网上一大堆模板,可以找找。不要用谷歌和IE之类的,要用火狐,这个坑踩了好久。,选择完整克隆,随后修改名称,完成即可;
m1使用VMware安装CentOS7并部署k8s高可用集群
m0_66403673的博客
11-11 1911
在M1电脑上安装CentOS7并配置其网络,安装docker,并利用kubeadm部署k8s集群
WMware workstation搭建Server 2003双节点集群Cluster(实战篇)
Jian Sun_的博客
05-08 98
7) 如果您使用的是64位版本的Windows Server 2003的系统,需要注意的是,所有共享磁盘必须配置为主引导记录(MBR),也就是建立主分区。如果您需要将运行在群集服务上的应用程序服务(该服务器即为虚拟服务器)以域名的形式对内或对外发布,您可能需要在域控制器的DNS管理器中添加群集名的 A记录 ,这里是为集群的VIP添加一个A记录。g. 以上是对仲裁磁盘进行操作,按照同样的方法,对共享数据磁盘进行操作。(5) 附加共享磁盘 , 通过前面的操作,我们已经成功的创建了群集所需要的共享磁盘。
vmware资源管理-2
surijing的博客
04-13 1412
task manager 要监视来宾操作系统中的性能,请使用您熟悉的工具,如Windows任务管理器。 Windows任务管理器帮助您度量来宾操作系统中的CPU和内存使用。您在来宾操作系统中使用工具进行的度量反映了来宾操作系统的资源使用情况,而不一定反映了虚拟机本身(VMware)的资源使用情况 VMware Tools中的Perfmon DLL提供了虚拟机处理器和内存对象来访问虚拟机中的主机统...
vsphere 7.x证书过期更新
coco3848的博客
01-15 3094
需要注意的是,在vSphere Web页面中更新的证书仅仅是Machine的证书,vCenter需要使用的其他证书并没有更新。执行证书管理命令,选择选项6,更新Solution User Certificates。
VMware vCenter证书过期解决方法
热门推荐
autoset的博客
12-09 2万+
vCenter内含各种证书,部分证书过期会导致登录webclient时,出现“获取身份认证程序时出错”(https://ip/ui),“no healthy upstream”(https://ip)的提示,导致无法登陆,错误代码500、400。注意:您可能会收到错误消息: -bash: ./clean_backup_stores.sh: /bin/bash^M: bad interpreter: No such file or directory。STS 证书过期时不会触发证书到期警报。
Vcenter证书过期--Vcenter无法登录,密码错误,签名无效,503(方法2)
Q先生
04-04 5837
和https://blog.csdn.net/qq_29974229/article/details/127439493有一点区别.主要是管理页面也是503报错。
vmware 证书过期
09-05
您好!对于 VMware 证书过期的问题,您可以尝试以下几个步骤来解决: 1. 确认证书过期:首先,请确保您的 VMware 证书确实已过期。您可以在 VMware 控制台的证书管理部分查看证书的过期日期。 2. 更新证书:如果您的证书已过期,您可以尝试更新证书。请联系 VMware 支持团队或相关的认证机构,了解如何更新证书。他们将指导您完成证书申请和更新的流程。 3. 检查系统时间和日期:请确保您的系统时间和日期设置正确。如果您的系统时间不准确,可能会导致证书验证失败或误判为过期。 4. 更新 VMware 版本:在某些情况下,旧版本的 VMware 可能无法处理最新的证书。尝试更新到最新的 VMware 版本,以确保能够正确处理证书。 5. 检查网络连接:有时,网络连接问题也可能导致证书验证失败。请确保您的网络连接稳定,并且没有任何防火墙或代理服务器阻止了与 VMware 服务器的通信。 如果您尝试了上述步骤仍然无法解决问题,我建议您咨询 VMware 官方支持团队,他们将能够提供更具体的帮助和指导。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值