VmWare VCenter 6.7 Errore di accesso a causa di un certificato SSL scaduto
Problema: risulta impossibile accedere all’interfaccia web di VCenter.
Questa condizione si può verificare se il certificato ssl selfsigned installato su VCenter in fase di prima installazione, è scaduto.
Contrariamente agli altri certificati installati sui singoli host vsphere (durata 10 anni), quello installato su VCenter 6.7 ha una durata di soli due anni.
Nell’esempio qui sotto si può notare che il certificato con validità di due anni, scade il 21 ottobre 2022
Rimane possibile il login solo sull’interfaccia di management di VCenter sulla porta 5480. Lì però c’è installato un certificato selfsigned con durata 10 anni:
Tramite il forum di supporto vmware ho trovato questa informazione che permette di verificare lo stato dei certificati, collegandosi in modalita SSH alla shell di vcenter
https://kb.vmware.com/s/article/82332
Utilizzando PUTTY, ci si logga al VCenter problematico, e da shell si lancia il comando:
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo “[*] Store :” $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store $store –text | grep -ie “Alias” -ie “Not After”;done;
Otterremo lo stato dei certificati installati, e si nota subito che quelli con durata di due anni, sono scaduti ed impediscono il corretto login:
Conviene rigenerarli tutti in modo da riallineare tutte le scadenze dei certificati.
Per procedere con il rinnovo, si lancia la procedura certificate manager da shell con il seguente comando:
/usr/lib/vmware-vmca/bin/certificate-manager
Tra le varie opzioni proposte, scelgo la voce nr 8 (reset all certificates)
Questo è il tracciato delle operazioni eseguite dopo aver dato il comando di rigenerazione:
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : n lease provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [Administrator@vsphere.local]: Enter password: certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : n Continue operation : Option[Y/N] ? : y You are going to reset by regenerating Root Certificate and replace all certificates using VMCA Continue operation : Option[Y/N] ? : y Get site nameCompleted [Reset Machine SSL Cert…] default-site Lookup all services Get service default-site:3e673188-f29f-40f7-999d-41b9aa328caa Update service default-site:3e673188-f29f-40f7-999d-41b9aa328caa; spec: /tmp/svcspec_6li_u9zk Get service default-site:5d8bb2df-e115-4d27-b5e1-5f5f599f69f4 Update service default-site:5d8bb2df-e115-4d27-b5e1-5f5f599f69f4; spec: /tmp/svcspec_cu85111z Get service default-site:cc989dd6-55e3-4867-9e29-87b13d29ec76 Update service default-site:cc989dd6-55e3-4867-9e29-87b13d29ec76; spec: /tmp/svcspec_ryb8wdp5 Get service 6cd6b37d-06a2-4851-9222-fd0cf4a705bb Update service 6cd6b37d-06a2-4851-9222-fd0cf4a705bb; spec: /tmp/svcspec_d2n9y1cw Get service e7252158-94c1-417f-a06e-33e7b40ad584 Update service e7252158-94c1-417f-a06e-33e7b40ad584; spec: /tmp/svcspec_wr96gkk9 Get service 1056f42a-3131-4f6e-9cad-e177e8ecf9b1 Update service 1056f42a-3131-4f6e-9cad-e177e8ecf9b1; spec: /tmp/svcspec_p9suy6y4 Get service 8238eadd-2ae1-4c87-9780-7b496a650652 Update service 8238eadd-2ae1-4c87-9780-7b496a650652; spec: /tmp/svcspec_2jascd79 Get service b8cf5bdc-287a-4080-9244-d1d4e8e6a339 Update service b8cf5bdc-287a-4080-9244-d1d4e8e6a339; spec: /tmp/svcspec_1f6rmjpo Get service d4dec4a0-1a6b-44da-8aa3-8b10946e0009 Update service d4dec4a0-1a6b-44da-8aa3-8b10946e0009; spec: /tmp/svcspec_cofnivpi Get service 3b6a3918-f6f7-4fbf-98da-0917d28fecc4 Update service 3b6a3918-f6f7-4fbf-98da-0917d28fecc4; spec: /tmp/svcspec_xyvjhav7 Get service 6fdce531-b8b0-42b6-b67a-e792e4da39eb Update service 6fdce531-b8b0-42b6-b67a-e792e4da39eb; spec: /tmp/svcspec_7l535blz Get service d8d0483d-b652-4e7f-85f3-37dab13e384d Update service d8d0483d-b652-4e7f-85f3-37dab13e384d; spec: /tmp/svcspec_2klrv6fw Get service 98875c2c-9b8b-430e-a939-a84ab9960723 Update service 98875c2c-9b8b-430e-a939-a84ab9960723; spec: /tmp/svcspec_9wrl862x Get service 5c55cb7e-a73c-46c9-a411-2c08a4aa6057 Update service 5c55cb7e-a73c-46c9-a411-2c08a4aa6057; spec: /tmp/svcspec_7blhz0w4 Get service f0126870-26b0-4529-9141-695dc4aca291 Update service f0126870-26b0-4529-9141-695dc4aca291; spec: /tmp/svcspec__lof5ly5 Get service f75f6b47-0b9f-45ea-bc46-e9ed032da284_kv Update service f75f6b47-0b9f-45ea-bc46-e9ed032da284_kv; spec: /tmp/svcspec_6nhq0x1p Get service 34f530df-7e89-43d8-9615-ab849ff1dd42 Update service 34f530df-7e89-43d8-9615-ab849ff1dd42; spec: /tmp/svcspec_7z324r41 Get service 95077896-5cbd-46e6-b984-7a2c3d528744 Update service 95077896-5cbd-46e6-b984-7a2c3d528744; spec: /tmp/svcspec_lgh3ru12 Get service 3c8b13b3-afba-494f-9714-ac16526cbd42 Update service 3c8b13b3-afba-494f-9714-ac16526cbd42; spec: /tmp/svcspec_d2g0kn_t Get service db80fe7c-a3dd-404b-8969-2fb350a88a69 Update service db80fe7c-a3dd-404b-8969-2fb350a88a69; spec: /tmp/svcspec_z04n8tay Get service d295ac4f-da57-4f91-b890-8d82ae99ab8d Update service d295ac4f-da57-4f91-b890-8d82ae99ab8d; spec: /tmp/svcspec_dk7rp6j2 Get service c0d82091-aae3-41ef-b43e-c9da17a7d776 Update service c0d82091-aae3-41ef-b43e-c9da17a7d776; spec: /tmp/svcspec_12zk02zs Get service 0e149229-c4c2-44c4-b857-46f2ceec53c6 Update service 0e149229-c4c2-44c4-b857-46f2ceec53c6; spec: /tmp/svcspec_p0ulinf_ Get service f75f6b47-0b9f-45ea-bc46-e9ed032da284_authz Update service f75f6b47-0b9f-45ea-bc46-e9ed032da284_authz; spec: /tmp/svcspec_8hyo4pb4 Get service 2f91da0b-72ba-45fe-94dc-4c9f73a50a4d Update service 2f91da0b-72ba-45fe-94dc-4c9f73a50a4d; spec: /tmp/svcspec_z1k2d08s Get service f75f6b47-0b9f-45ea-bc46-e9ed032da284 Update service f75f6b47-0b9f-45ea-bc46-e9ed032da284; spec: /tmp/svcspec_5lgra6xm Get service fa60c3e2-c60f-459c-9c2c-7bc53226fcb5 Update service fa60c3e2-c60f-459c-9c2c-7bc53226fcb5; spec: /tmp/svcspec_zp3fv_oc Get service 8cf7c2b1-d092-4ad3-9cf7-25b20fdb8786 Update service 8cf7c2b1-d092-4ad3-9cf7-25b20fdb8786; spec: /tmp/svcspec_xv_3piff Get service 7d1b1874-3446-4660-b238-65ee2e5ecd7e Update service 7d1b1874-3446-4660-b238-65ee2e5ecd7e; spec: /tmp/svcspec_ktp7_nrs Get service b8b420eb-de61-4235-9389-297e98ae959f Update service b8b420eb-de61-4235-9389-297e98ae959f; spec: /tmp/svcspec_9r93rhzu Get service ec950272-a127-4150-ae1b-d9bb90d4f626 Update service ec950272-a127-4150-ae1b-d9bb90d4f626; spec: /tmp/svcspec_1ovltkaq Get service ff6b704a-cb22-462b-9fec-60db2165c867 Update service ff6b704a-cb22-462b-9fec-60db2165c867; spec: /tmp/svcspec_abhendva Get service 57f0f658-88ae-4837-94a2-525b3a50b870 Update service 57f0f658-88ae-4837-94a2-525b3a50b870; spec: /tmp/svcspec_u09f4gq0 Get service 95077896-5cbd-46e6-b984-7a2c3d528744_com.vmware.vsphere.client Don't update service 95077896-5cbd-46e6-b984-7a2c3d528744_com.vmware.vsphere.client Get service bba184df-024e-4510-9231-d1e2167d78ea Update service bba184df-024e-4510-9231-d1e2167d78ea; spec: /tmp/svcspec_gcvcnym_ Updated 34 service(s) Status : 60% Completed [Reset vpxd-extension Cert…] 2022-10-24T07:40:48.076Z Updating certificate for "com.vmware.vim.eam" extension 2022-10-24T07:40:48.483Z Updating certificate for "com.vmware.rbd" extension 2022-10-24T07:40:48.890Z Updating certificate for "com.vmware.imagebuilder" extension Reset status : 100% Completed [Reset completed successfully]
Terminata l’operazione il certificate viene rigenerato e il portale VCenter è nuovamente utilizzabile.
Qui sotto è possibile notare i dettagli del certificato, prima e dopo il rinnovo:
VECCHIO CERTIFICATO
NUOVO CERTIFICATO