Vcenter证书过期解决方案

已于 2024-06-22 16:29:40 修改
阅读量780 收藏 8
点赞数 10
文章标签: 运维
于 2024-06-22 16:27:17 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/m0_50207724/article/details/139884351
版权

情况描述:登录Vcenter时输入正确密码提示:请输入用户名和密码。输入错误密码提示密码错误。

原因: STS 证书已过期

1.使用root账户通过ssh登录,输入shell切换到命令行

2.可通过https://kb.vmware.com/s/article/79248?lang=en_us下载checksts.py。

或在/tmp目录下vi checksts.py,存入以下内容(推荐):

#!/opt/vmware/bin/python


"""
Copyright 2020-2022 VMware, Inc.  All rights reserved. -- VMware Confidential
Author:  Keenan Matheny (keenanm@vmware.com)

"""
##### BEGIN IMPORTS #####

import os
import sys
import json
import subprocess
import re
import pprint
import ssl
from datetime import datetime, timedelta
import textwrap
from codecs import encode, decode
import subprocess
from time import sleep
try:
    # Python 3 hack.
    import urllib.request as urllib2
    import urllib.parse as urlparse
except ImportError:
    import urllib2
    import urlparse

sys.path.append(os.environ['VMWARE_PYTHON_PATH'])
from cis.defaults import def_by_os
sys.path.append(os.path.join(os.environ['VMWARE_CIS_HOME'],
                def_by_os('vmware-vmafd/lib64', 'vmafdd')))
import vmafd
from OpenSSL.crypto import (load_certificate, dump_privatekey, dump_certificate, X509, X509Name, PKey)
from OpenSSL.crypto import (TYPE_DSA, TYPE_RSA, FILETYPE_PEM, FILETYPE_ASN1 )

today = datetime.now()
today = today.strftime("%d-%m-%Y")

vcsa_kblink = "https://kb.vmware.com/s/article/76719"
win_kblink = "https://kb.vmware.com/s/article/79263"

##### END IMPORTS #####

class parseCert( object ):
    # Certificate parsing

    def format_subject_issuer(self, x509name): 
        items = []
        for item in x509name.get_components():
            items.append('%s=%s' %  (decode(item[0],'utf-8'), decode(item[1],'utf-8')))
        return ", ".join(items)

    def format_asn1_date(self, d):
        return datetime.strptime(decode(d,'utf-8'), '%Y%m%d%H%M%SZ').strftime("%Y-%m-%d %H:%M:%S GMT")

    def merge_cert(self, extensions, certificate):
        z = certificate.copy()
        z.update(extensions)
        return z

    def __init__(self, certdata):

        built_cert = certdata
        self.x509 = load_certificate(FILETYPE_PEM, built_cert)
        keytype = self.x509.get_pubkey().type()
        keytype_list = {TYPE_RSA:'rsaEncryption', TYPE_DSA:'dsaEncryption', 408:'id-ecPublicKey'}
        extension_list = ["extendedKeyUsage",
                        "keyUsage",
                        "subjectAltName",
                        "subjectKeyIdentifier",
                        "authorityKeyIdentifier"]
        key_type_str = keytype_list[keytype] if keytype in keytype_list else 'other'

        certificate = {}
        extension = {}
        for i in range(self.x509.get_extension_count()):
            critical = 'critical' if self.x509.get_extension(i).get_critical() else ''

            if decode(self.x509.get_extension(i).get_short_name(),'utf-8') in extension_list:
                extension[decode(self.x509.get_extension(i).get_short_name(),'utf-8')] = self.x509.get_extension(i).__str__()

        certificate = {'Thumbprint': decode(self.x509.digest('sha1'),'utf-8'), 'Version': self.x509.get_version(),
         'SignatureAlg' : decode(self.x509.get_signature_algorithm(),'utf-8'), 'Issuer' :self.format_subject_issuer(self.x509.get_issuer()), 
         'Valid From' : self.format_asn1_date(self.x509.get_notBefore()), 'Valid Until' : self.format_asn1_date(self.x509.get_notAfter()),
         'Subject' : self.format_subject_issuer(self.x509.get_subject())}
        
        combined = self.merge_cert(extension,certificate)
        cert_output = json.dumps(combined)

        self.subjectAltName = combined.get('subjectAltName')
        self.subject = combined.get('Subject')
        self.validfrom = combined.get('Valid From')
        self.validuntil = combined.get('Valid Until')
        self.thumbprint = combined.get('Thumbprint')
        self.subjectkey = combined.get('subjectKeyIdentifier')
        self.authkey = combined.get('authorityKeyIdentifier')
        self.combined = combined

class parseSts( object ):

    def __init__(self):
        self.processed = []
        self.results = {}
        self.results['expired'] = {}
        self.results['expired']['root'] = []
        self.results['expired']['leaf'] = []
        self.results['valid'] = {}
        self.results['valid']['root'] = []
        self.results['valid']['leaf'] = []

    def get_certs(self,force_refresh):
        urllib2.getproxies = lambda: {}
        vmafd_client = vmafd.client('localhost')
        domain_name = vmafd_client.GetDomainName()

        dc_name = vmafd_client.GetAffinitizedDC(domain_name, force_refresh)
        if vmafd_client.GetPNID() == dc_name:
            url = (
                'http://localhost:7080/idm/tenant/%s/certificates?scope=TENANT'
                % domain_name)
        else:
            url = (
                'https://%s/idm/tenant/%s/certificates?scope=TENANT'
                % (dc_name,domain_name))
        return json.loads(urllib2.urlopen(url).read().decode('utf-8'))

    def check_cert(self,certificate):
        cert = parseCert(certificate)
        certdetail = cert.combined

            #  Attempt to identify what type of certificate it is
        if cert.authkey:
            cert_type = "leaf"
        else:
            cert_type = "root"
        
        #  Try to only process a cert once
        if cert.thumbprint not in self.processed:
            # Date conversion
            self.processed.append(cert.thumbprint)
            exp = cert.validuntil.split()[0]
            conv_exp = datetime.strptime(exp, '%Y-%m-%d')
            exp = datetime.strftime(conv_exp, '%d-%m-%Y')
            now = datetime.strptime(today, '%d-%m-%Y')
            exp_date = datetime.strptime(exp, '%d-%m-%Y')
            
            # Get number of days until it expires
            diff = exp_date - now
            certdetail['daysUntil'] = diff.days

            # Sort expired certs into leafs and roots, put the rest in goodcerts.
            if exp_date <= now:
                self.results['expired'][cert_type].append(certdetail)
            else:
                self.results['valid'][cert_type].append(certdetail)
    
    def execute(self):

        json = self.get_certs(force_refresh=False)
        for item in json:
            for certificate in item['certificates']:
                self.check_cert(certificate['encoded'])
        return self.results

def main():

    warning = False
    warningmsg = '''
    WARNING! 
    You have expired STS certificates.  Please follow the KB corresponding to your OS:
    VCSA:  %s
    Windows:  %s
    ''' % (vcsa_kblink, win_kblink)
    parse_sts = parseSts()
    results = parse_sts.execute()
    valid_count = len(results['valid']['leaf']) + len(results['valid']['root'])
    expired_count = len(results['expired']['leaf']) + len(results['expired']['root'])
          
    
    #### Display Valid ####
    print("\n%s VALID CERTS\n================" % valid_count)
    print("\n\tLEAF CERTS:\n")
    if len(results['valid']['leaf']) > 0:
        for cert in results['valid']['leaf']:
            print("\t[] Certificate %s will expire in %s days (%s years)." % (cert['Thumbprint'], cert['daysUntil'], round(cert['daysUntil']/365)))
    else:
        print("\tNone")
    print("\n\tROOT CERTS:\n")
    if len(results['valid']['root']) > 0:
        for cert in results['valid']['root']:
            print("\t[] Certificate %s will expire in %s days (%s years)." % (cert['Thumbprint'], cert['daysUntil'], round(cert['daysUntil']/365)))
    else:
        print("\tNone")


    #### Display expired ####
    print("\n%s EXPIRED CERTS\n================" % expired_count)
    print("\n\tLEAF CERTS:\n")
    if len(results['expired']['leaf']) > 0:
        for cert in results['expired']['leaf']:
            print("\t[] Certificate: %s expired on %s!" % (cert.get('Thumbprint'),cert.get('Valid Until')))
            continue
    else:
        print("\tNone")

    print("\n\tROOT CERTS:\n")
    if len(results['expired']['root']) > 0:
        for cert in results['expired']['root']:
            print("\t[] Certificate: %s expired on %s!" % (cert.get('Thumbprint'),cert.get('Valid Until')))
            continue
    else:
        print("\tNone")

    if expired_count > 0:
        print(warningmsg)


if __name__ == '__main__':
    exit(main())

4.给checkstst.py执行权限

chmod +x checksts.py

5.执行检测文件checksts.py显示证书情况

./checksts.py


1 VALID CERTS
================

	LEAF CERTS:

	None

	ROOT CERTS:

	[] Certificate A9:46:71:B2:5E:42:7C:86:47:D7:6C:01:F9:1A:FA:8A:A5:D6:E3:01 will expire in 2890 days (7.0 years).

1 EXPIRED CERTS
================

	LEAF CERTS:

	[] Certificate: AC:4C:28:87:4A:9F:81:AF:89:B4:FC:85:AF:5D:FF:C2:10:F6:45:61 expired on 2024-05-26 15:52:15 GMT!

	ROOT CERTS:

	None

    WARNING! 
    You have expired STS certificates.  Please follow the KB corresponding to your OS:
    VCSA:  https://kb.vmware.com/s/article/76719
    Windows:  https://kb.vmware.com/s/article/79263
    
    
    
 可以看到STS证书过期了:
 WARNING! 
    You have expired STS certificates.  Please follow the KB corresponding to your OS:
    VCSA:  https://kb.vmware.com/s/article/76719
    Windows:  https://kb.vmware.com/s/article/79263

6.从官方https://kb.vmware.com/s/article/76719下载fixsts.sh

或在/tmp下新建个fixsts.sh脚本文件,将下面的代码复制进去:

#!/bin/bash
# Copyright (c) 2020-2021 VMware, Inc. All rights reserved.
# VMware Confidential
#
# Run this from the affected PSC/VC
#
# NOTE: This works on external and embedded PSCs
# This script will do the following
# 1: Regenerate STS certificate
#
# What is needed?
# 1: Offline snapshots of VCs/PSCs
# 2: SSO Admin Password

NODETYPE=$(cat /etc/vmware/deployment.node.type)
if [ "$NODETYPE" = "management" ]; then
    echo "Detected this node is a vCenter server with external PSC."
    echo "Please run this script from a vCenter with embedded PSC, or an external PSC"
    exit 1
fi

if [ "$NODETYPE" = "embedded" ]  &&  [ ! -f  /usr/lib/vmware-vmdir/sbin/vmdird ]; then
    echo "Detected this node is a vCenter gateway"
    echo "Please run this script from a vCenter with embedded PSC, or an external PSC"
    exit 1
fi

echo "NOTE: This works on external and embedded PSCs"
echo "This script will do the following"
echo "1: Regenerate STS certificate"
echo "What is needed?"
echo "1: Offline snapshots of VCs/PSCs"
echo "2: SSO Admin Password"
echo "IMPORTANT: This script should only be run on a single PSC per SSO domain"

mkdir -p /tmp/vmware-fixsts
SCRIPTPATH="/tmp/vmware-fixsts"
LOGFILE="$SCRIPTPATH/fix_sts_cert.log"

echo "==================================" | tee -a $LOGFILE
echo "Resetting STS certificate for $HOSTNAME started on $(date)" | tee -a $LOGFILE
echo ""| tee -a $LOGFILE
echo ""
DN=$(/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\vmdir]' | grep dcAccountDN | awk '{$1=$2=$3="";print $0}'|tr -d '"'|sed -e 's/^[ \t]*//')
echo "Detected DN: $DN" | tee -a $LOGFILE
PNID=$(/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\vmafd\Parameters]' | grep PNID | awk '{print $4}'|tr -d '"')
echo "Detected PNID: $PNID" | tee -a $LOGFILE
PSC=$(/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\vmafd\Parameters]' | grep DCName | awk '{print $4}'|tr -d '"')
echo "Detected PSC: $PSC" | tee -a $LOGFILE
DOMAIN=$(/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\vmafd\Parameters]' | grep DomainName | awk '{print $4}'|tr -d '"')
echo "Detected SSO domain name: $DOMAIN" | tee -a $LOGFILE
SITE=$(/opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\vmafd\Parameters]' | grep SiteName | awk '{print $4}'|tr -d '"')
MACHINEID=$(/usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-id --server-name localhost)
echo "Detected Machine ID: $MACHINEID" | tee -a $LOGFILE
IPADDRESS=$(ifconfig | grep eth0 -A1 | grep "inet addr" | awk -F ':' '{print $2}' | awk -F ' ' '{print $1}')
echo "Detected IP Address: $IPADDRESS" | tee -a $LOGFILE
DOMAINCN="dc=$(echo "$DOMAIN" | sed 's/\./,dc=/g')"
echo "Domain CN: $DOMAINCN"
ADMIN="cn=administrator,cn=users,$DOMAINCN"
USERNAME="administrator@${DOMAIN^^}"
ROOTCERTDATE=$(openssl x509  -in /var/lib/vmware/vmca/root.cer -text | grep "Not After" | awk -F ' ' '{print $7,$4,$5}')
TODAYSDATE=$(date +"%Y %b %d")

echo "#" > $SCRIPTPATH/certool.cfg
echo "# Template file for a CSR request" >> $SCRIPTPATH/certool.cfg
echo "#" >> certool.cfg
echo "# Country is needed and has to be 2 characters" >> $SCRIPTPATH/certool.cfg
echo "Country = DS" >> $SCRIPTPATH/certool.cfg
echo "Name = $PNID" >> $SCRIPTPATH/certool.cfg
echo "Organization = VMware" >> $SCRIPTPATH/certool.cfg
echo "OrgUnit = VMware" >> $SCRIPTPATH/certool.cfg
echo "State = VMware" >> $SCRIPTPATH/certool.cfg
echo "Locality = VMware" >> $SCRIPTPATH/certool.cfg
echo "IPAddress = $IPADDRESS" >> $SCRIPTPATH/certool.cfg
echo "Email = email@acme.com" >> $SCRIPTPATH/certool.cfg
echo "Hostname = $PNID" >> $SCRIPTPATH/certool.cfg

echo "==================================" | tee -a $LOGFILE
echo "==================================" | tee -a $LOGFILE
echo ""
echo "Detected Root's certificate expiration date: $ROOTCERTDATE" | tee -a $LOGFILE
echo "Detected today's date: $TODAYSDATE" | tee -a $LOGFILE

echo "==================================" | tee -a $LOGFILE

flag=0
if [[ $TODAYSDATE > $ROOTCERTDATE ]];
then
    echo "IMPORTANT: Root certificate is expired, so it will be replaced" | tee -a $LOGFILE
    flag=1
    mkdir /certs && cd /certs
    cp $SCRIPTPATH/certool.cfg /certs/vmca.cfg
    /usr/lib/vmware-vmca/bin/certool --genselfcacert --outprivkey /certs/vmcacert.key  --outcert /certs/vmcacert.crt --config /certs/vmca.cfg
    /usr/lib/vmware-vmca/bin/certool --rootca --cert /certs/vmcacert.crt --privkey /certs/vmcacert.key
fi

echo "#" > $SCRIPTPATH/certool.cfg
echo "# Template file for a CSR request" >> $SCRIPTPATH/certool.cfg
echo "#" >> $SCRIPTPATH/certool.cfg
echo "# Country is needed and has to be 2 characters" >> $SCRIPTPATH/certool.cfg
echo "Country = DS" >> $SCRIPTPATH/certool.cfg
echo "Name = STS" >> $SCRIPTPATH/certool.cfg
echo "Organization = VMware" >> $SCRIPTPATH/certool.cfg
echo "OrgUnit = VMware" >> $SCRIPTPATH/certool.cfg
echo "State = VMware" >> $SCRIPTPATH/certool.cfg
echo "Locality = VMware" >> $SCRIPTPATH/certool.cfg
echo "IPAddress = $IPADDRESS" >> $SCRIPTPATH/certool.cfg
echo "Email = email@acme.com" >> $SCRIPTPATH/certool.cfg
echo "Hostname = $PNID" >> $SCRIPTPATH/certool.cfg

echo ""
echo "Exporting and generating STS certificate" | tee -a $LOGFILE
echo ""

cd $SCRIPTPATH

/usr/lib/vmware-vmca/bin/certool --server localhost --genkey --privkey=sts.key --pubkey=sts.pub
/usr/lib/vmware-vmca/bin/certool --gencert --cert=sts.cer --privkey=sts.key --config=$SCRIPTPATH/certool.cfg

openssl x509 -outform der -in sts.cer -out sts.der
CERTS=$(csplit -f root /var/lib/vmware/vmca/root.cer '/-----BEGIN CERTIFICATE-----/' '{*}' | wc -l)
openssl pkcs8 -topk8 -inform pem -outform der -in sts.key -out sts.key.der -nocrypt
i=1
until [ $i -eq $CERTS ]
do
    openssl x509 -outform der -in root0$i -out vmca0$i.der
    ((i++))
done

echo ""
echo ""
read -s -p "Enter password for administrator@$DOMAIN: " DOMAINPASSWORD
echo ""

# Find the highest tenant credentials index
MAXCREDINDEX=1
while read -r line
do
    INDEX=$(echo "$line" | tr -dc '0-9')
    if [ $INDEX -gt $MAXCREDINDEX ]
    then
        MAXCREDINDEX=$INDEX
    fi
done < <(/opt/likewise/bin/ldapsearch -h localhost -p 389 -b "cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" "(objectclass=vmwSTSTenantCredential)" cn | grep cn:)

# Sequentially search for tenant credentials up to max index  and delete if found
echo "Highest tenant credentials index : $MAXCREDINDEX" | tee -a $LOGFILE
i=1
if [ ! -z $MAXCREDINDEX ]
then
    until [ $i -gt $MAXCREDINDEX ]
    do
        echo "Exporting tenant $i to $SCRIPTPATH" | tee -a $LOGFILE
        echo ""
        ldapsearch -h localhost -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" -b "cn=TenantCredential-$i,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" > $SCRIPTPATH/tenantcredential-$i.ldif
                if [ $? -eq 0 ]
                then
                    echo "Deleting tenant $i" | tee -a $LOGFILE
                        ldapdelete -h localhost -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" "cn=TenantCredential-$i,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" | tee -a $LOGFILE
                else
                    echo "Tenant $i not found" | tee -a $LOGFILE
                    echo ""
                fi
                ((i++))
                done
fi
echo ""

# Find the highest trusted cert chains index
MAXCERTCHAINSINDEX=1
while read -r line
do
    INDEX=$(echo "$line" | tr -dc '0-9')
    if [ $INDEX -gt $MAXCERTCHAINSINDEX ]
    then
        MAXCERTCHAINSINDEX=$INDEX
    fi
done < <(/opt/likewise/bin/ldapsearch -h localhost -p 389 -b "cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" "(objectclass=vmwSTSTenantTrustedCertificateChain)" cn | grep cn:)

# Sequentially search for trusted cert chains up to max index  and delete if found
echo "Highest trusted cert chains index: $MAXCERTCHAINSINDEX" | tee -a $LOGFILE
i=1
if [ ! -z $MAXCERTCHAINSINDEX ]
then
    until [ $i -gt $MAXCERTCHAINSINDEX ]
    do
            echo "Exporting trustedcertchain $i to $SCRIPTPATH" | tee -a $LOGFILE
            echo ""
                ldapsearch -h localhost -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" -b "cn=TrustedCertChain-$i,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" > $SCRIPTPATH/trustedcertchain-$i.ldif
            if [ $? -eq 0 ]
            then
                echo "Deleting trustedcertchain $i" | tee -a $LOGFILE
                ldapdelete -h localhost -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" "cn=TrustedCertChain-$i,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" | tee -a $LOGFILE
            else
                echo "Trusted cert chain $i not found" | tee -a $LOGFILE
            fi
            echo ""
                ((i++))
                done
fi
echo ""

i=1
echo "dn: cn=TenantCredential-1,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" > sso-sts.ldif
echo "changetype: add" >> sso-sts.ldif
echo "objectClass: vmwSTSTenantCredential" >> sso-sts.ldif
echo "objectClass: top" >> sso-sts.ldif
echo "cn: TenantCredential-1" >> sso-sts.ldif
echo "userCertificate:< file:sts.der" >> sso-sts.ldif
until [ $i -eq $CERTS ]
do
    echo "userCertificate:< file:vmca0$i.der" >> sso-sts.ldif
    ((i++))
done
echo "vmwSTSPrivateKey:< file:sts.key.der" >> sso-sts.ldif
echo "" >> sso-sts.ldif
echo "dn: cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN" >> sso-sts.ldif
echo "changetype: add" >> sso-sts.ldif
echo "objectClass: vmwSTSTenantTrustedCertificateChain" >> sso-sts.ldif
echo "objectClass: top" >> sso-sts.ldif
echo "cn: TrustedCertChain-1" >> sso-sts.ldif
echo "userCertificate:< file:sts.der" >> sso-sts.ldif
i=1
until [ $i -eq $CERTS ]
do
    echo "userCertificate:< file:vmca0$i.der" >> sso-sts.ldif
    ((i++))
done
echo ""
echo "Applying newly generated STS certificate to SSO domain" | tee -a $LOGFILE

/opt/likewise/bin/ldapmodify -x -h localhost -p 389 -D "cn=administrator,cn=users,$DOMAINCN" -w "$DOMAINPASSWORD" -f sso-sts.ldif | tee -a $LOGFILE
echo ""
echo "Replacement finished - Please restart services on all vCenters and PSCs in your SSO domain" | tee -a $LOGFILE
echo "==================================" | tee -a $LOGFILE
echo "IMPORTANT: In case you're using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure" | tee -a $LOGFILE
echo "==================================" | tee -a $LOGFILE
echo "==================================" | tee -a $LOGFILE
if [ $flag == 1 ]
then
    echo "Since your Root certificate was expired and was replaced, you will need to replace your MachineSSL and Solution User certificates" | tee -a $LOGFILE
    echo "You can do so following this KB: https://kb.vmware.com/s/article/2097936" | tee -a $LOGFILE
fi

7.给fixsts.sh执行权限

chmod +x fixsts.sh

8.运行脚本./fixsts.sh

按要求输入密码

9.重启服务

service-control --stop --all && service-control --start --all

结果最后一行:
Service-control failed. Error Failed to start vmon services.vmon-cli RC=1, stderr=Failed to start sca, vpxd-svcs, cm, vapi-endpoint services. Error: Operation timed out

会发现有的服务无法启动,没有启动起来的服务直接无视,因为证书还没替换

重新分配证书

执行以下命令替换证书配置

/usr/lib/vmware-vmca/bin/certificate-manager

输入“8”,按要求输入信息,可回车直接跳过按默认值设置,如下为参考(本示例vcenter地址为192.168.167.170):

root@photon-machine [ /tmp ]# /usr/lib/vmware-vmca/bin/certificate-manager
		 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
		|                                                                     |
		|      *** Welcome to the vSphere 6.5 Certificate Manager  ***        |
		|                                                                     |
		|                   -- Select Operation --                            |
		|                                                                     |
		|      1. Replace Machine SSL certificate with Custom Certificate     |
		|                                                                     |
		|      2. Replace VMCA Root certificate with Custom Signing           |
		|         Certificate and replace all Certificates                    |
		|                                                                     |
		|      3. Replace Machine SSL certificate with VMCA Certificate       |
		|                                                                     |
		|      4. Regenerate a new VMCA Root Certificate and                  |
		|         replace all certificates                                    |
		|                                                                     |
		|      5. Replace Solution user certificates with                     |
		|         Custom Certificate                                          |
		|                                                                     |
		|      6. Replace Solution user certificates with VMCA certificates   |
		|                                                                     |
		|      7. Revert last performed operation by re-publishing old        |
		|         certificates                                                |
		|                                                                     |
		|      8. Reset all Certificates                                      |
		|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 8
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y

Please provide valid SSO and VC priviledged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:administrator@vsphere.local
Enter password:
certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : y

Press Enter key to skip optional parameters or use Previous value.

Enter proper value for 'Country' [Previous value : US] : 

Enter proper value for 'Name' [Previous value : CA] : 

Enter proper value for 'Organization' [Previous value : VMware] : 

Enter proper value for 'OrgUnit' [Previous value : VMware Engineering] : 

Enter proper value for 'State' [Previous value : California] : 

Enter proper value for 'Locality' [Previous value : Palo Alto] : 

Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 192.168.167.170

Enter proper value for 'Email' [Previous value : email@acme.com] : 

Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : 192.168.167.170

Enter proper value for VMCA 'Name' :192.168.167.170
Continue operation : Option[Y/N] ? : y

You are going to reset by regenerating Root Certificate and replace all certificates using VMCA
Continue operation : Option[Y/N] ? : y
Get site nameCompleted [Reset Machine SSL Cert...]                  
site
Lookup all services
Get service site:911fc2f1-392c-4f1b-84d2-49f91c3046f2
Don't update service site:911fc2f1-392c-4f1b-84d2-49f91c3046f2
Get service site:aea34480-46ce-41cf-a7e2-1d15bdcc0ab1
Don't update service site:aea34480-46ce-41cf-a7e2-1d15bdcc0ab1
Get service site:8938d34a-c15d-40cc-850d-c9304e68dae4
Don't update service site:8938d34a-c15d-40cc-850d-c9304e68dae4
Get service a79a41ce-5342-4493-929e-811383bff203
Don't update service a79a41ce-5342-4493-929e-811383bff203
Get service 5fbf2d4b-b430-470c-9851-702610484343
Don't update service 5fbf2d4b-b430-470c-9851-702610484343
Get service de3ebc64-8ae4-4235-b1d6-de65883b7096
Don't update service de3ebc64-8ae4-4235-b1d6-de65883b7096
Get service 57ad9946-2957-4555-8bfb-10c65ce68c6c_authz
Don't update service 57ad9946-2957-4555-8bfb-10c65ce68c6c_authz
Get service 1d4b42a2-d90a-474e-a689-8cca9495c27b
Don't update service 1d4b42a2-d90a-474e-a689-8cca9495c27b
Get service 57ad9946-2957-4555-8bfb-10c65ce68c6c
Don't update service 57ad9946-2957-4555-8bfb-10c65ce68c6c
Get service 587f612e-a714-484e-aca1-0d2de3ad1e29
Don't update service 587f612e-a714-484e-aca1-0d2de3ad1e29
Get service e48d9ffe-2fe1-4559-9222-2269c2d4f0b6
Don't update service e48d9ffe-2fe1-4559-9222-2269c2d4f0b6
Get service 01940b7b-f22c-4333-8035-955bbbb91603
Don't update service 01940b7b-f22c-4333-8035-955bbbb91603
Get service b54d7f46-73d2-481d-91dc-da8d8e993ef3
Don't update service b54d7f46-73d2-481d-91dc-da8d8e993ef3
Get service 85e3c0eb-d952-43d9-a08d-ab161bf6d101
Don't update service 85e3c0eb-d952-43d9-a08d-ab161bf6d101
Get service e1a6c0f8-8a91-4d82-ab6e-79287d2b1ed2
Don't update service e1a6c0f8-8a91-4d82-ab6e-79287d2b1ed2
Get service be7818e6-911d-4063-b88e-73b5915c0df0
Don't update service be7818e6-911d-4063-b88e-73b5915c0df0
Get service 3078f34e-3759-4320-b472-877453ce1b18
Don't update service 3078f34e-3759-4320-b472-877453ce1b18
Get service ea0d05e1-02a8-4a2c-9fed-184d750198f4
Don't update service ea0d05e1-02a8-4a2c-9fed-184d750198f4
Get service 755cb09e-57c7-4d35-bed1-6f8765249f69
Don't update service 755cb09e-57c7-4d35-bed1-6f8765249f69
Get service 217e3e49-6173-454d-9561-3f425c5acddd
Don't update service 217e3e49-6173-454d-9561-3f425c5acddd
Get service c7a2c7d1-8aa6-4a35-a653-a78413d754a3
Don't update service c7a2c7d1-8aa6-4a35-a653-a78413d754a3
Get service fb3064d8-e453-48da-9b7e-429a3bedf7a8
Don't update service fb3064d8-e453-48da-9b7e-429a3bedf7a8
Get service ced86945-2a57-4d42-b9dc-20f483ebf7e9
Don't update service ced86945-2a57-4d42-b9dc-20f483ebf7e9
Get service e5dd7481-e3fb-4844-bd0e-d2b365797b62
Don't update service e5dd7481-e3fb-4844-bd0e-d2b365797b62
Get service ea152519-4fde-42d6-b801-bcf0e5f6c8f0
Don't update service ea152519-4fde-42d6-b801-bcf0e5f6c8f0
Get service 674b549c-6ea0-403e-ad7e-762f9f1f9888
Don't update service 674b549c-6ea0-403e-ad7e-762f9f1f9888
Get service 3208647b-438b-4874-b96c-ad4258f7e934
Don't update service 3208647b-438b-4874-b96c-ad4258f7e934
Get service 13062b8f-2507-4e96-82fb-300c86336567
Don't update service 13062b8f-2507-4e96-82fb-300c86336567
Get service 57ad9946-2957-4555-8bfb-10c65ce68c6c_kv
Don't update service 57ad9946-2957-4555-8bfb-10c65ce68c6c_kv
Get service 0f9becdc-a140-44af-9fa7-4e82733eceb0
Don't update service 0f9becdc-a140-44af-9fa7-4e82733eceb0
Updated 0 service(s)
Status : 60% Completed [Reset vpxd-extension Cert...]                     
2024-06-22T12:21:37.568Z   Updating certificate for "com.vmware.vim.eam" extension


2024-06-22T12:21:37.717Z   Updating certificate for "com.vmware.rbd" extension

Reset status : 100% Completed [Reset completed successfully]

过会即可正常访问

书记
关注
vCenter证书过期处理脚本,可以使用脚本续订成十年证书,清理过期证书以及数据加密证书的续订脚本
06-13
vCenter证书过期处理脚本,可以使用脚本续订成十年证书,清理过期证书以及数据加密证书的续订脚本
VMware vCenter Server证书过期解决方法
qq_43490217的博客
05-13 3497
Enter proper value for 'Hostname' [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] :这个值和vCenter Server的主机名一致或者填IP。从结果可知STS未过期。如果STS过期,则执行修复脚本fixsts.sh(https://kb.vmware.com/s/article/76719)。运行脚本./fixsts.sh,会提示输入账户的密码。
vcenter升级过期证书
weixin_46092268的博客
07-22 2638
vcenter升级各种过期证书
vCenter 7.3证书过期无法登录处理方法
weixin_44654338的博客
05-08 2190
由于一个或多个 vCenter Server 系统的凭据无效,登录失败: https://xx.xx.xx.xx:xx/sdk”登录vCenter控制台,Alt+F3切换至命令行模式,使用root登录,更改系统时间为过期前时间。更改时间完毕后再刷新VMware vCenter Serverr登录页面后恢复正常,登录系统。已经过期证书恢复时可能会有报错,还是建议用命令修改系统时间至过期前,切记一定要。续订完毕后再次登录到ssh页面,修改回当前时间,如下。注意:更改时间前建议先做快照,避免风险。
登录vCenter 7.0,无法登录显示页面“no healthy upstream”
weixin_52200604的博客
03-15 3252
no healthy upstream vCenter 7.0
vCenter证书过期问题
RedJones的博客
11-24 9353
证书相关问题和更新注意事项~~解决证书状态告警问题
当vCenter证书过期、Root密码过期、Root密码遗忘同时发生时的解决方法与步骤
OCTSJimmy的专栏
10-26 3517
vCenter,强制修改root密码,修改SSO User密码,修复证书过期问题
vCenter 证书过期无法登录处理方法
weixin_44048054的博客
07-15 825
由于一个或多个 vCenter Server 系统的凭据无效,登录失败: https://xx.xx.xx.xx:xx/sdk”登录vCenter控制台,Alt+F3切换至命令行模式,使用root登录,更改系统时间为过期前时间。更改时间完毕后再刷新VMware vCenter Serverr登录页面后恢复正常,登录系统。然后再次重新登录VMware vCenter Serverr页面,至此处理完毕。续订完毕后再次登录到ssh页面,修改回当前时间,如下。注意:更改时间前建议先做快照,避免风险。
VCENTER 证书过期
fuxiaoland的博客
02-14 6089
VCENTER 证书过期
vmware证书过期问题处理相关脚本
12-29
在IT行业中,虚拟化技术是不可或缺的一部分,而VMware作为其中的佼佼者,提供了强大的虚拟化解决方案。然而,随着系统的运行,有时会出现一些技术问题,例如证书过期。这可能导致安全警告,甚至影响到虚拟机的正常...
使用Vcenter appliance自带证书系统更新证书
01-08
因为vcenter安装后会自动颁发一张默认证书,如果你更改了主机名等信息,则证书中的信息和现在的信息不符,会造成即使安装了证书,但是仍然提示未信任该证书的提示,可以使用Vcenter appliance自带证书系统更新证书
vCenterServer6.0许可证生成器
02-04
【vCenter Server 6.0 许可证生成器】是一种工具,用于创建vCenter Server 6.0的许可证密钥。...如果预算有限,可以咨询VMware或其合作伙伴关于折扣、优惠方案或者试用版本的信息,以找到符合需求且合规的解决方案
从 VMware vCenter Server 5.5 中过期的 SSL 证书进行恢复
weixin_33913377的博客
01-01 2414
由于 VMware 不会为 vCenter Server、vSphere Web Client 和 Log Browser 服务使用 VMware SSL 证书自动化工具,在继续操作之前,您需要手动为这些服务创建 rui.pfx 文件。1.以管理员身份打开提升的命令提示符。 2.将目录更改为 OpenSSL 二进制文件的位置。 VMware 使用安装到 Inventory ...
【vSphere 7/8】深入浅出 vSphere 证书 Ⅰ—— 初识和了解 vSphere证书
最新发布
VMware, Windows, Linux, Cisco, Container, Kubernetes, Kali
08-16 237
本系列博文会深入浅出的引导读者认识,了解,理解 vSphere 环境中的证书。 本篇博文主要引导大家初识 vSphere 证书,描述如何快速查看 vSphere 证书
vcenter 6.5证书续订
网络管理员
12-15 9919
前几天公司vsphere提示报警证书状态error,查了下vmware官方KB,发现是因为证书即将过期提示报警导致。官方图如下:vsphere报警图 准备开始升级venter证书 1.根据官方KB 输入administrator@vsphere.local 及密码 进入证书管理 发现所有证书即将全部过期,所以vcenter正常告警提示证书状态error,此时在这个界面虽然有续订按钮,但是点了会报错无法进行续订,需要进入另外一个web管理界面进行续订。 2.根据KB 输入 https://vcsa地址/p
一种VMware vCenter证书过期的续期方法
forestqq的博客
12-29 6552
VMware vCenter证书过期,会导致服务器无法正常登录。官网上的指导方法是使用checksts.py检查,使用fixsts.sh进行修复,还可以用/usr/lib/vmware-vmca/bin/certificate-manager证书管理工具来重置所有证书。本文探讨用另一种非命令行的方法来进行续期。
检查 vCenter Server 上 STS 证书过期日期 (79248)
sgj584520的专栏
08-19 6057
检查 vCenter Server 上 STS 证书过期日期 (79248) 注意: STS 证书过期时不会触发证书到期警报。 如果证书设置为 6 个月内过期,VMware 建议替换该证书。如果过期日期在六个月之后,请安排在适当的时间替换证书。 如果 STS 证书即将过期或已过期,请参见: "Signing certificate is not valid" error in VCSA 6.5.x/6.7.x and vCenter Server 7.0.x (76719) "Signi
Vcenter证书过期处理----Vcenter无法登录,“根证书错误”,“签名证书无效”,“503 service not available”
weixin_57323573的博客
09-09 9255
Vcenter证书过期 无法登录 HTTP Status 400 – Bad Request Message BadRequest, Signing certificate is not valid 503 service not available..Failed to conncet to endpoint Cannot connect to vCenter Single Sign-On server https://VC_FQDN/sts/STSService/vsphere.local
VMware vCenter证书过期解决方法
05-09
当VMware vCenter证书过期时,可以通过以下步骤进行解决: 1. 在 vCenter Server Appliance 上运行以下命令以生成新的证书: /opt/vmware/bin/certool --restart vpxd --renew --cert /root/signedcert.crt --key /root/ssl.key --chain /root/chain.crt 2. 将新证书复制到所有 ESXi 主机上: scp /root/signedcert.crt root@<ESXi Host>:/etc/vmware/ssl/rui.crt scp /root/ssl.key root@<ESXi Host>:/etc/vmware/ssl/rui.key 3. 重新启动 vCenter Server 和所有 ESXi 主机上的服务: service-control --all
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值