VmWare VCenter 6.7 Errore di accesso a causa di un certificato SSL scaduto
Problema: risulta impossibile accedere all’interfaccia web di VCenter.
Questa condizione si può verificare se il certificato ssl selfsigned installato su VCenter in fase di prima installazione, è scaduto.
Contrariamente agli altri certificati installati sui singoli host vsphere (durata 10 anni), quello installato su VCenter 6.7 ha una durata di soli due anni.
![](https://www.mconsult.it/blog/wp-content/uploads/2022/10/image.png)
Nell’esempio qui sotto si può notare che il certificato con validità di due anni, scade il 21 ottobre 2022
![](https://www.mconsult.it/blog/wp-content/uploads/2022/10/image-1.png)
Rimane possibile il login solo sull’interfaccia di management di VCenter sulla porta 5480. Lì però c’è installato un certificato selfsigned con durata 10 anni:
Tramite il forum di supporto vmware ho trovato questa informazione che permette di verificare lo stato dei certificati, collegandosi in modalita SSH alla shell di vcenter
https://kb.vmware.com/s/article/82332
Utilizzando PUTTY, ci si logga al VCenter problematico, e da shell si lancia il comando:
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo “[*] Store :” $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list –store $store –text | grep -ie “Alias” -ie “Not After”;done;
Otterremo lo stato dei certificati installati, e si nota subito che quelli con durata di due anni, sono scaduti ed impediscono il corretto login:
![](https://www.mconsult.it/blog/wp-content/uploads/2022/10/image-2.png)
Conviene rigenerarli tutti in modo da riallineare tutte le scadenze dei certificati.
Per procedere con il rinnovo, si lancia la procedura certificate manager da shell con il seguente comando:
/usr/lib/vmware-vmca/bin/certificate-manager
Tra le varie opzioni proposte, scelgo la voce nr 8 (reset all certificates)
![](https://www.mconsult.it/blog/wp-content/uploads/2022/10/image-5.png)
Questo è il tracciato delle operazioni eseguite dopo aver dato il comando di rigenerazione:
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : n lease provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [Administrator@vsphere.local]: Enter password: certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : n Continue operation : Option[Y/N] ? : y You are going to reset by regenerating Root Certificate and replace all certificates using VMCA Continue operation : Option[Y/N] ? : y Get site nameCompleted [Reset Machine SSL Cert…] default-site Lookup all services Get service default-site:3e673188-f29f-40f7-999d-41b9aa328caa Update service default-site:3e673188-f29f-40f7-999d-41b9aa328caa; spec: /tmp/svcspec_6li_u9zk Get service default-site:5d8bb2df-e115-4d27-b5e1-5f5f599f69f4 Update service default-site:5d8bb2df-e115-4d27-b5e1-5f5f599f69f4; spec: /tmp/svcspec_cu85111z Get service default-site:cc989dd6-55e3-4867-9e29-87b13d29ec76 Update service default-site:cc989dd6-55e3-4867-9e29-87b13d29ec76; spec: /tmp/svcspec_ryb8wdp5 Get service 6cd6b37d-06a2-4851-9222-fd0cf4a705bb Update service 6cd6b37d-06a2-4851-9222-fd0cf4a705bb; spec: /tmp/svcspec_d2n9y1cw Get service e7252158-94c1-417f-a06e-33e7b40ad584 Update service e7252158-94c1-417f-a06e-33e7b40ad584; spec: /tmp/svcspec_wr96gkk9 Get service 1056f42a-3131-4f6e-9cad-e177e8ecf9b1 Update service 1056f42a-3131-4f6e-9cad-e177e8ecf9b1; spec: /tmp/svcspec_p9suy6y4 Get service 8238eadd-2ae1-4c87-9780-7b496a650652 Update service 8238eadd-2ae1-4c87-9780-7b496a650652; spec: /tmp/svcspec_2jascd79 Get service b8cf5bdc-287a-4080-9244-d1d4e8e6a339 Update service b8cf5bdc-287a-4080-9244-d1d4e8e6a339; spec: /tmp/svcspec_1f6rmjpo Get service d4dec4a0-1a6b-44da-8aa3-8b10946e0009 Update service d4dec4a0-1a6b-44da-8aa3-8b10946e0009; spec: /tmp/svcspec_cofnivpi Get service 3b6a3918-f6f7-4fbf-98da-0917d28fecc4 Update service 3b6a3918-f6f7-4fbf-98da-0917d28fecc4; spec: /tmp/svcspec_xyvjhav7 Get service 6fdce531-b8b0-42b6-b67a-e792e4da39eb Update service 6fdce531-b8b0-42b6-b67a-e792e4da39eb; spec: /tmp/svcspec_7l535blz Get service d8d0483d-b652-4e7f-85f3-37dab13e384d Update service d8d0483d-b652-4e7f-85f3-37dab13e384d; spec: /tmp/svcspec_2klrv6fw Get service 98875c2c-9b8b-430e-a939-a84ab9960723 Update service 98875c2c-9b8b-430e-a939-a84ab9960723; spec: /tmp/svcspec_9wrl862x Get service 5c55cb7e-a73c-46c9-a411-2c08a4aa6057 Update service 5c55cb7e-a73c-46c9-a411-2c08a4aa6057; spec: /tmp/svcspec_7blhz0w4 Get service f0126870-26b0-4529-9141-695dc4aca291 Update service f0126870-26b0-4529-9141-695dc4aca291; spec: /tmp/svcspec__lof5ly5 Get service f75f6b47-0b9f-45ea-bc46-e9ed032da284_kv Update service f75f6b47-0b9f-45ea-bc46-e9ed032da284_kv; spec: /tmp/svcspec_6nhq0x1p Get service 34f530df-7e89-43d8-9615-ab849ff1dd42 Update service 34f530df-7e89-43d8-9615-ab849ff1dd42; spec: /tmp/svcspec_7z324r41 Get service 95077896-5cbd-46e6-b984-7a2c3d528744 Update service 95077896-5cbd-46e6-b984-7a2c3d528744; spec: /tmp/svcspec_lgh3ru12 Get service 3c8b13b3-afba-494f-9714-ac16526cbd42 Update service 3c8b13b3-afba-494f-9714-ac16526cbd42; spec: /tmp/svcspec_d2g0kn_t Get service db80fe7c-a3dd-404b-8969-2fb350a88a69 Update service db80fe7c-a3dd-404b-8969-2fb350a88a69; spec: /tmp/svcspec_z04n8tay Get service d295ac4f-da57-4f91-b890-8d82ae99ab8d Update service d295ac4f-da57-4f91-b890-8d82ae99ab8d; spec: /tmp/svcspec_dk7rp6j2 Get service c0d82091-aae3-41ef-b43e-c9da17a7d776 Update service c0d82091-aae3-41ef-b43e-c9da17a7d776; spec: /tmp/svcspec_12zk02zs Get service 0e149229-c4c2-44c4-b857-46f2ceec53c6 Update service 0e149229-c4c2-44c4-b857-46f2ceec53c6; spec: /tmp/svcspec_p0ulinf_ Get service f75f6b47-0b9f-45ea-bc46-e9ed032da284_authz Update service f75f6b47-0b9f-45ea-bc46-e9ed032da284_authz; spec: /tmp/svcspec_8hyo4pb4 Get service 2f91da0b-72ba-45fe-94dc-4c9f73a50a4d Update service 2f91da0b-72ba-45fe-94dc-4c9f73a50a4d; spec: /tmp/svcspec_z1k2d08s Get service f75f6b47-0b9f-45ea-bc46-e9ed032da284 Update service f75f6b47-0b9f-45ea-bc46-e9ed032da284; spec: /tmp/svcspec_5lgra6xm Get service fa60c3e2-c60f-459c-9c2c-7bc53226fcb5 Update service fa60c3e2-c60f-459c-9c2c-7bc53226fcb5; spec: /tmp/svcspec_zp3fv_oc Get service 8cf7c2b1-d092-4ad3-9cf7-25b20fdb8786 Update service 8cf7c2b1-d092-4ad3-9cf7-25b20fdb8786; spec: /tmp/svcspec_xv_3piff Get service 7d1b1874-3446-4660-b238-65ee2e5ecd7e Update service 7d1b1874-3446-4660-b238-65ee2e5ecd7e; spec: /tmp/svcspec_ktp7_nrs Get service b8b420eb-de61-4235-9389-297e98ae959f Update service b8b420eb-de61-4235-9389-297e98ae959f; spec: /tmp/svcspec_9r93rhzu Get service ec950272-a127-4150-ae1b-d9bb90d4f626 Update service ec950272-a127-4150-ae1b-d9bb90d4f626; spec: /tmp/svcspec_1ovltkaq Get service ff6b704a-cb22-462b-9fec-60db2165c867 Update service ff6b704a-cb22-462b-9fec-60db2165c867; spec: /tmp/svcspec_abhendva Get service 57f0f658-88ae-4837-94a2-525b3a50b870 Update service 57f0f658-88ae-4837-94a2-525b3a50b870; spec: /tmp/svcspec_u09f4gq0 Get service 95077896-5cbd-46e6-b984-7a2c3d528744_com.vmware.vsphere.client Don't update service 95077896-5cbd-46e6-b984-7a2c3d528744_com.vmware.vsphere.client Get service bba184df-024e-4510-9231-d1e2167d78ea Update service bba184df-024e-4510-9231-d1e2167d78ea; spec: /tmp/svcspec_gcvcnym_ Updated 34 service(s) Status : 60% Completed [Reset vpxd-extension Cert…] 2022-10-24T07:40:48.076Z Updating certificate for "com.vmware.vim.eam" extension 2022-10-24T07:40:48.483Z Updating certificate for "com.vmware.rbd" extension 2022-10-24T07:40:48.890Z Updating certificate for "com.vmware.imagebuilder" extension Reset status : 100% Completed [Reset completed successfully]
Terminata l’operazione il certificate viene rigenerato e il portale VCenter è nuovamente utilizzabile.
Qui sotto è possibile notare i dettagli del certificato, prima e dopo il rinnovo:
VECCHIO CERTIFICATO
![](https://www.mconsult.it/blog/wp-content/uploads/2022/10/image-3.png)
NUOVO CERTIFICATO
![](https://www.mconsult.it/blog/wp-content/uploads/2022/10/image-4.png)