情况描述:登录Vcenter时请输入正确的密码。 提示:请输入您的用户名和密码。如果您输入错误的密码,您将收到一条消息,提示密码不正确。
原因:STS证书已过期
1、使用root账号通过ssh登录,输入shell切换到命令行。
2. Checksts.py 可以从https://kb.vmware.com/s/article/79248?lang=en_us 下载。
或者,运行/tmp目录中的checksts.py并保存以下内容(推荐):
#!/opt/vmware/bin/python
””
版权所有2020-2022 VMware, Inc。保留所有权利- VMware 机密。
作者: Keenan Matheny (keenanm@vmware.com)
””
#####开始导入#####
导入操作系统
导入系统
导入json
导入子流程
重新导入
进口印刷
导入SSL
从日期时间导入日期时间,时间增量
导入文本换行
从编解码器导入编码、解码
导入子流程
时间导入睡眠
尝试:
# Python 3 破解。
将urllib.request 导入为urllib2
将urllib.parse 导入为urlparse
除了导入错误:
导入URLlib2
导入URL分析
sys.path.append(os.environ[\’VMWARE_PYTHON_PATH\’])
从cis.defaults 导入def_by_os
sys.path.append(os.path.join(os.environ[\’VMWARE_CIS_HOME\’],
def_by_os(\’vmware-vmafd/lib64\’, \’vmafdd\’)))
导入vmafd
从OpenSSL.crypto 导入(load_certificate、dump_privatekey、dump_certificate、X509、X509Name、PKey)
从OpenSSL.crypto 导入(TYPE_DSA、TYPE_RSA、FILETYPE_PEM、FILETYPE_ASN1)
今天=datetime.now()
今天=今天.strftime(\’%d-%m-%Y\’)
vcsa_kblink=\’https://kb.vmware.com/s/article/76719\’
win_kblink=\’https://kb.vmware.com/s/article/79263\’
##### 完成导入#####
类parseCert(对象):
# 解析证书
def format_subject_issuer(self, x509name):
项目=[]
对于项目x509name.get_components():
items.append(\’%s=%s\’ % (解码(item[0],\’utf-8\’), 解码(item[1],\’utf-8\’)))
返回\’, \’.join(items)
def format_asn1_date(self, d):
return datetime.strptime(解码(d,\’utf-8\’), \’%Y%m%d%H%M%SZ\’).strftime(\’%Y-%m-%d %H:%M:%S GMT )\’)
def merge_cert(自身,扩展,证书):
z=证书.copy()
z.update(扩展)
退货
def __init__(self, certdata):
built_cert=证书数据
self.x509=load_certificate(FILETYPE_PEM,built_cert)
keytype=self.x509.get_pubkey().type()
keytype_list={TYPE_RSA:\’rsaEncryption\’, TYPE_DSA:\’dsaEncryption\’, 408:\’id-ecPublicKey\’}
extension_list=[\’扩展密钥使用\’,
\’密钥使用\’,
\’主题替代名称\’,
\’主题密钥标识符\’,
“授权密钥标识符”]
key_type_str=keytype_list[keytype] 如果keytype 在keytype_list 中,则为“其他”
证书={}
扩展名={}
对于我在范围内(self.x509.get_extension_count()):
关键=\’关键\’ if self.x509.get_extension(i).get_ritic() else \’\’
如果在extension_list:中解码(self.x509.get_extension(i).get_short_name(),\’utf-8\’)
扩展[解码(self.x509.get_extension(i).get_short_name(),\’utf-8\’)]=self.x509.get_extension(i).__str__()
证书={\’指纹\’: 解码(self.x509.digest(\’sha1\’),\’utf-8\’), \’版本\’: self.x509.get_version(),
第:章:第:章
\”有效开始日期\” : self.format_asn1_date(self.x509.get_notBefore()), \”到期日期\” : self.format_asn1_date(self.x509.get_notAfter()),
\’主题\’ : self.format_subject_issuer(self.x509.get_subject())}
合并=self.merge_cert(扩展名,证书)
cert_output=json.dumps(组合)
self.subjectAltName=合并.get(\’subjectAltName\’)
self.subject=combined.get(\’主题\’)
self.validfrom=合并.get(\’有效日期\’)
self.validuntil=合并.get(\’validuntil\’)
self.thumbprint=合并.get(\’指纹\’)
self.subjectkey=combined.get(\’subjectKeyIdentifier\’)
self.authkey=合并.get(\’authorityKeyIdentifier\’)
self.combined=合并
类parseSts(对象):
def __init__(self):
自我处理=[]
自我结果={}
self.results[\’过期\’]={}
self.results[\’过期\’][\’root\’]=[]
self.results[\’过期\’][\’叶子\’]=[]
self.results[\’有效\’]={}
self.results[\’有效\’][\’根\’]=[]
self.results[\’有效\’][\’叶子\’]=[]
def get_certs(self,force_refresh):
urllib2.getproxies=lambda: {}
vmafd_client=vmafd.client(\’localhost\’)
域名=vmafd_client.GetDomainName()
dc_name=vmafd_client.GetAffinitizedDC(域名,强制刷新)
如果vmafd_client.GetPNID()==dc_name:
网址=(
\’http://localhost:7080/idm/tenant/%s/certificates?scope=TENANT\’
% 域名)
: 其他
网址=(
\’https://%s/idm/租户/%s/证书?范围=租户\’
% (dc_name,域名))
返回json.loads(urllib2.urlopen(url).read().decode(\’utf-8\’))
def check_cert(自身,证书):
证书=parseCert(证书)
certdetail=cert.combined 证书详细信息=cert.combined
# 尝试识别证书类型
如果cert.authkey:
cert_type=\’叶\’
: 其他
cert_type=\’根\’
# 尝试只处理一次证书
如果cert.thumbprint 不在self.processed: 中
# 日期转换
self.processed.append(cert.thumbprint)
exp=cert.validuntil.split()[0]
conv_exp=datetime.strptime(exp, \’%Y-%m-%d\’)
exp=datetime.strftime(conv_exp, \’%d-%m-%Y\’)
now=datetime.strptime(今天, \’%d-%m-%Y\’)
exp_date=datetime.strptime(exp, \’%d-%m-%Y\’)
# 获取距离到期的天数
diff=exp_date – 当前
certdetail[\’daysUntil\’]=diff.days
# 将过期的证书分为叶和根,并将其余的放入好的证书中。
如果exp_date=now:
self.results[\’过期\’][cert_type].append(certdetail)
: 其他
self.results[\’valid\’][cert_type].append(certdetail)
def 运行(自我):
json=self.get_certs(force_refresh=False)
对于json: 项目
对于项目[\’certificate\’]: 中的证书
self.check_cert(证书[\’编码\’])
返回自身结果
def main():
警告=假
警告信息=\’\’
警告!
STS 证书已过期。请按照OS: 对应的KB 进行操作。
VCSA: %s
Windows:%s
\’\’ % (vcsa_kblink, win_kblink)
parse_sts=parseSts()
结果=parse_sts.execute()
valid_count=len(结果[\’有效\’][\’叶\’]) + len(结果[\’有效\’][\’根\’])
expired_count=len(结果[\’过期\’][\’叶子\’]) + len(结果[\’过期\’][\’根\’])
#### 有效显示####
print(\’\\n%s 有效证书\\n================\’ % valid_count)
打印(\’\\n\\tLEAF CERTS:\\n\’)
if len(结果[\’有效\’][\’叶\’]) 0:
对于生成的证书[\’valid\’][\’leaf\’]:
print(\’\\t[] 证书%s 将在%s 天(%s 年)后过期。\’ % (cert[\’Thumbprint\’], cert[\’daysUntil\’],round(cert[\’daysUntil\’ ]/365) ))
: 其他
打印(\’\\t无\’)
打印(\’\\n\\tROOT CERTS:\\n\’)
if len(结果[\’有效\’][\’根\’]) 0:
对于生成的证书[\’valid\’][\’root\’]:
print(\’\\t[] 证书%s 将在%s 天(%s 年)后过期。\’ % (cert[\’Thumbprint\’], cert[\’daysUntil\’],round(cert[\’daysUntil\’ ]/365) ))
: 其他
打印(\’\\t无\’)
#### 显示已过期####
print(\’\\n%s 过期证书\\n================\’ %expired_count)
打印(\’\\n\\tLEAF CERTS:\\n\’)
if len(结果[\’过期\’][\’叶子\’]) 0:
[\’expired\’][\’leaf\’]: 表示生成的证书
print(\’\\t[] Certificate: %s 已于%s 过期!\’ % (cert.get(\’Thumbprint\’),cert.get(\’有效期至\’)))
继续
: 其他
打印(\’\\t无\’)
打印(\’\\n\\tROOT CERTS:\\n\’)
if len(结果[\’过期\’][\’根\’]) 0:
对于生成的证书[\’expired\’][\’root\’]:
print(\’\\t[] Certificate: %s 已于%s 过期!\’ % (cert.get(\’Thumbprint\’),cert.get(\’有效期至\’)))
继续
: 其他
打印(\’\\t无\’)
如果expired_count 0:
打印(警告信息)
如果__name__==\’__main__\’:
结束(主())
4.给checkstst.py赋予执行权限
chmod +x checksts.py
5. 运行检测文件checksts.py,查看证书状态。
./checksts.py
1 有效证件
===============
叶CERTS:
没有任何
根证书:
[] 证书D 6:E3:01 的有效期为2890 天(7.0 年)。
1 过期证书
===============
叶CERTS:
[] 证书: AC:4C:28:87:4A:9F:81:AF:89:B4:FC:85:AF:5D:FF:C2:103336 0F6:45:61 于2024 年5 月26 日15:52:15 GMT 过期。
根证书:
没有任何
警告!
STS 证书已过期。请按照OS: 对应的KB 进行操作。
VCSA: https://kb.vmware.com/s/article/76719
Windows: https://kb.vmware.com/s/article/79263
可以看到STS证书已经过期。
警告!
STS 证书已过期。请按照OS: 对应的KB 进行操作。
VCSA: https://kb.vmware.com/s/article/76719
Windows: https://kb.vmware.com/s/article/79263
6.从官方https://kb.vmware.com/s/article/76719下载fixsts.sh。
或者,在/tmp 下创建一个新的fixsts.sh 脚本文件,并将以下代码复制到此处。
#!/bin/bash
# 版权所有(c) 2020-2021 VMware, Inc。保留所有权利。
#VMwareConfidential
#
# 从受影响的PSC/VC 运行此命令
#
#NOTE: 这适用于外部和嵌入式PSC
# 该脚本执行以下操作
#1: 重新生成STS证书
#
#需要什么?
# 1: VC/PSC 离线快照
#2: SSO 管理员密码
NODETYPE=$(cat /etc/vmware/deployment.node.type)
if [ \’$NODETYPE\’=\’管理\’ ];
echo \’已检测到此节点是具有外部PSC 的vCenter 服务器。 \’
echo \’从具有嵌入式PSC 或外部PSC 的vCenter 运行此脚本\’
1号出口
菲
if [ \’$NODETYPE\’=\’嵌入\’ ] [ ! -f /usr/lib/vmware-vmdir/sbin/vmdird ];
echo \’该节点已被检测为vCenter 网关\’
echo \”Please run this script from a vCenter with embedded PSC, or an external PSC\”
exit 1
fi
echo \”NOTE: This works on external and embedded PSCs\”
echo \”This script will do the following\”
echo \”1: Regenerate STS certificate\”
echo \”What is needed?\”
echo \”1: Offline snapshots of VCs/PSCs\”
echo \”2: SSO Admin Password\”
echo \”IMPORTANT: This script should only be run on a single PSC per SSO domain\”
mkdir -p /tmp/vmware-fixsts
SCRIPTPATH=\”/tmp/vmware-fixsts\”
LOGFILE=\”$SCRIPTPATH/fix_sts_cert.log\”
echo \”==================================\” | tee -a $LOGFILE
echo \”Resetting STS certificate for $HOSTNAME started on $(date)\” | tee -a $LOGFILE
echo \”\”| tee -a $LOGFILE
echo \”\”
DN=$(/opt/likewise/bin/lwregshell list_values \'[HKEY_THIS_MACHINE\\Services\\vmdir]\’ | grep dcAccountDN | awk \'{$1=$2=$3=\”\”;print $0}\’|tr -d \’\”\’|sed -e \’s/^[ \\t]*//\’)
echo \”Detected DN: $DN\” | tee -a $LOGFILE
PNID=$(/opt/likewise/bin/lwregshell list_values \'[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]\’ | grep PNID | awk \'{print $4}\’|tr -d \’\”\’)
echo \”Detected PNID: $PNID\” | tee -a $LOGFILE
PSC=$(/opt/likewise/bin/lwregshell list_values \'[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]\’ | grep DCName | awk \'{print $4}\’|tr -d \’\”\’)
echo \”Detected PSC: $PSC\” | tee -a $LOGFILE
DOMAIN=$(/opt/likewise/bin/lwregshell list_values \'[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]\’ | grep DomainName | awk \'{print $4}\’|tr -d \’\”\’)
echo \”Detected SSO domain name: $DOMAIN\” | tee -a $LOGFILE
SITE=$(/opt/likewise/bin/lwregshell list_values \'[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]\’ | grep SiteName | awk \'{print $4}\’|tr -d \’\”\’)
MACHINEID=$(/usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-id –server-name localhost)
echo \”Detected Machine ID: $MACHINEID\” | tee -a $LOGFILE
IPADDRESS=$(ifconfig | grep eth0 -A1 | grep \”inet addr\” | awk -F \’:\’ \'{print $2}\’ | awk -F \’ \’ \'{print $1}\’)
echo \”Detected IP Address: $IPADDRESS\” | tee -a $LOGFILE
DOMAINCN=\”dc=$(echo \”$DOMAIN\” | sed \’s/\\./,dc=/g\’)\”
echo \”Domain CN: $DOMAINCN\”
ADMIN=\”cn=administrator,cn=users,$DOMAINCN\”
USERNAME=\”administrator@${DOMAIN^^}\”
ROOTCERTDATE=$(openssl x509 -in /var/lib/vmware/vmca/root.cer -text | grep \”Not After\” | awk -F \’ \’ \'{print $7,$4,$5}\’)
TODAYSDATE=$(date +\”%Y %b %d\”)
echo \”#\” > $SCRIPTPATH/certool.cfg
echo \”# Template file for a CSR request\” >> $SCRIPTPATH/certool.cfg
echo \”#\” >> certool.cfg
echo \”# Country is needed and has to be 2 characters\” >> $SCRIPTPATH/certool.cfg
echo \”Country = DS\” >> $SCRIPTPATH/certool.cfg
echo \”Name = $PNID\” >> $SCRIPTPATH/certool.cfg
echo \”Organization = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”OrgUnit = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”State = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”Locality = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”IPAddress = $IPADDRESS\” >> $SCRIPTPATH/certool.cfg
echo \”Email = email@acme.com\” >> $SCRIPTPATH/certool.cfg
echo \”Hostname = $PNID\” >> $SCRIPTPATH/certool.cfg
echo \”==================================\” | tee -a $LOGFILE
echo \”==================================\” | tee -a $LOGFILE
echo \”\”
echo \”Detected Root\’s certificate expiration date: $ROOTCERTDATE\” | tee -a $LOGFILE
echo \”Detected today\’s date: $TODAYSDATE\” | tee -a $LOGFILE
echo \”==================================\” | tee -a $LOGFILE
flag=0
if [[ $TODAYSDATE > $ROOTCERTDATE ]];
then
echo \”IMPORTANT: Root certificate is expired, so it will be replaced\” | tee -a $LOGFILE
flag=1
mkdir /certs && cd /certs
cp $SCRIPTPATH/certool.cfg /certs/vmca.cfg
/usr/lib/vmware-vmca/bin/certool –genselfcacert –outprivkey /certs/vmcacert.key –outcert /certs/vmcacert.crt –config /certs/vmca.cfg
/usr/lib/vmware-vmca/bin/certool –rootca –cert /certs/vmcacert.crt –privkey /certs/vmcacert.key
fi
echo \”#\” > $SCRIPTPATH/certool.cfg
echo \”# Template file for a CSR request\” >> $SCRIPTPATH/certool.cfg
echo \”#\” >> $SCRIPTPATH/certool.cfg
echo \”# Country is needed and has to be 2 characters\” >> $SCRIPTPATH/certool.cfg
echo \”Country = DS\” >> $SCRIPTPATH/certool.cfg
echo \”Name = STS\” >> $SCRIPTPATH/certool.cfg
echo \”Organization = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”OrgUnit = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”State = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”Locality = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”IPAddress = $IPADDRESS\” >> $SCRIPTPATH/certool.cfg
echo \”Email = email@acme.com\” >> $SCRIPTPATH/certool.cfg
echo \”Hostname = $PNID\” >> $SCRIPTPATH/certool.cfg
echo \”\”
echo \”Exporting and generating STS certificate\” | tee -a $LOGFILE
echo \”\”
cd $SCRIPTPATH
/usr/lib/vmware-vmca/bin/certool –server localhost –genkey –privkey=sts.key –pubkey=sts.pub
/usr/lib/vmware-vmca/bin/certool –gencert –cert=sts.cer –privkey=sts.key –config=$SCRIPTPATH/certool.cfg
openssl x509 -outform der -in sts.cer -out sts.der
CERTS=$(csplit -f root /var/lib/vmware/vmca/root.cer \’/—–BEGIN CERTIFICATE—–/\’ \'{*}\’ | wc -l)
openssl pkcs8 -topk8 -inform pem -outform der -in sts.key -out sts.key.der -nocrypt
i=1
until [ $i -eq $CERTS ]
do
openssl x509 -outform der -in root0$i -out vmca0$i.der
((i++))
done
echo \”\”
echo \”\”
read -s -p \”Enter password for administrator@$DOMAIN: \” DOMAINPASSWORD
echo \”\”
# Find the highest tenant credentials index
MAXCREDINDEX=1
while read -r line
do
INDEX=$(echo \”$line\” | tr -dc \’0-9\’)
if [ $INDEX -gt $MAXCREDINDEX ]
then
MAXCREDINDEX=$INDEX
fi
done < <(/opt/likewise/bin/ldapsearch -h localhost -p 389 -b \”cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” \”(objectclass=vmwSTSTenantCredential)\” cn | grep cn:)
# Sequentially search for tenant credentials up to max index and delete if found
echo \”Highest tenant credentials index : $MAXCREDINDEX\” | tee -a $LOGFILE
i=1
if [ ! -z $MAXCREDINDEX ]
then
until [ $i -gt $MAXCREDINDEX ]
do
echo \”Exporting tenant $i to $SCRIPTPATH\” | tee -a $LOGFILE
echo \”\”
ldapsearch -h localhost -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” -b \”cn=TenantCredential-$i,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” > $SCRIPTPATH/tenantcredential-$i.ldif
if [ $? -eq 0 ]
then
echo \”Deleting tenant $i\” | tee -a $LOGFILE
ldapdelete -h localhost -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” \”cn=TenantCredential-$i,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” | tee -a $LOGFILE
else
echo \”Tenant $i not found\” | tee -a $LOGFILE
echo \”\”
fi
((i++))
done
fi
echo \”\”
# Find the highest trusted cert chains index
MAXCERTCHAINSINDEX=1
while read -r line
do
INDEX=$(echo \”$line\” | tr -dc \’0-9\’)
if [ $INDEX -gt $MAXCERTCHAINSINDEX ]
then
MAXCERTCHAINSINDEX=$INDEX
fi
done < <(/opt/likewise/bin/ldapsearch -h localhost -p 389 -b \”cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” \”(objectclass=vmwSTSTenantTrustedCertificateChain)\” cn | grep cn:)
# Sequentially search for trusted cert chains up to max index and delete if found
echo \”Highest trusted cert chains index: $MAXCERTCHAINSINDEX\” | tee -a $LOGFILE
i=1
if [ ! -z $MAXCERTCHAINSINDEX ]
then
until [ $i -gt $MAXCERTCHAINSINDEX ]
do
echo \”Exporting trustedcertchain $i to $SCRIPTPATH\” | tee -a $LOGFILE
echo \”\”
ldapsearch -h localhost -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” -b \”cn=TrustedCertChain-$i,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” > $SCRIPTPATH/trustedcertchain-$i.ldif
if [ $? -eq 0 ]
then
echo \”Deleting trustedcertchain $i\” | tee -a $LOGFILE
ldapdelete -h localhost -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” \”cn=TrustedCertChain-$i,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” | tee -a $LOGFILE
else
echo \”Trusted cert chain $i not found\” | tee -a $LOGFILE
fi
echo \”\”
((i++))
done
fi
echo \”\”
i=1
echo \”dn: cn=TenantCredential-1,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” > sso-sts.ldif
echo \”changetype: add\” >> sso-sts.ldif
echo \”objectClass: vmwSTSTenantCredential\” >> sso-sts.ldif
echo \”objectClass: top\” >> sso-sts.ldif
echo \”cn: TenantCredential-1\” >> sso-sts.ldif
echo \”userCertificate:< file:sts.der\” >> sso-sts.ldif
until [ $i -eq $CERTS ]
do
echo \”userCertificate:< file:vmca0$i.der\” >> sso-sts.ldif
((i++))
done
echo \”vmwSTSPrivateKey:< file:sts.key.der\” >> sso-sts.ldif
echo \”\” >> sso-sts.ldif
echo \”dn: cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” >> sso-sts.ldif
echo \”changetype: add\” >> sso-sts.ldif
echo \”objectClass: vmwSTSTenantTrustedCertificateChain\” >> sso-sts.ldif
echo \”objectClass: top\” >> sso-sts.ldif
echo \”cn: TrustedCertChain-1\” >> sso-sts.ldif
echo \”userCertificate:< file:sts.der\” >> sso-sts.ldif
i=1
until [ $i -eq $CERTS ]
do
echo \”userCertificate:< file:vmca0$i.der\” >> sso-sts.ldif
((i++))
done
echo \”\”
echo \”Applying newly generated STS certificate to SSO domain\” | tee -a $LOGFILE
/opt/likewise/bin/ldapmodify -x -h localhost -p 389 -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” -f sso-sts.ldif | tee -a $LOGFILE
echo \”\”
echo \”Replacement finished – Please restart services on all vCenters and PSCs in your SSO domain\” | tee -a $LOGFILE
echo \”==================================\” | tee -a $LOGFILE
echo \”IMPORTANT: In case you\’re using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure\” | tee -a $LOGFILE
echo \”==================================\” | tee -a $LOGFILE
echo \”==================================\” | tee -a $LOGFILE
if [ $flag == 1 ]
then
echo \”Since your Root certificate was expired and was replaced, you will need to replace your MachineSSL and Solution User certificates\” | tee -a $LOGFILE
echo \”You can do so following this KB: https://kb.vmware.com/s/article/2097936\” | tee -a $LOGFILE
fi
7.给fixsts.sh执行权限
chmod +x fixsts.sh
8.运行脚本./fixsts.sh
按要求输入密码
9.重启服务
service-control –stop –all && service-control –start –all
结果最后一行:
Service-control failed. Error Failed to start vmon services.vmon-cli RC=1, stderr=Failed to start sca, vpxd-svcs, cm, vapi-endpoint services. Error: Operation timed out
会发现有的服务无法启动,没有启动起来的服务直接无视,因为证书还没替换
重新分配证书
执行以下命令替换证书配置
/usr/lib/vmware-vmca/bin/certificate-manager
输入“8”,按要求输入信息,可回车直接跳过按默认值设置,如下为参考(本示例vcenter地址为192.168.167.170):
root@photon-machine [ /tmp ]# /usr/lib/vmware-vmca/bin/certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.5 Certificate Manager *** |
| |
| — Select Operation — |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 8
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y
Please provide valid SSO and VC priviledged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:administrator@vsphere.local
Enter password:
certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : y
Press Enter key to skip optional parameters or use Previous value.
Enter proper value for \’Country\’ [Previous value : US] :
Enter proper value for \’Name\’ [Previous value : CA] :
Enter proper value for \’Organization\’ [Previous value : VMware] :
Enter proper value for \’OrgUnit\’ [Previous value : VMware Engineering] :
Enter proper value for \’State\’ [Previous value : California] :
Enter proper value for \’Locality\’ [Previous value : Palo Alto] :
Enter proper value for \’IPAddress\’ (Provide comma separated values for multiple IP addresses) [optional] : 192.168.167.170
Enter proper value for \’Email\’ [Previous value : email@acme.com] :
Enter proper value for \’Hostname\’ (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : 192.168.167.170
Enter proper value for VMCA \’Name\’ :192.168.167.170
Continue operation : Option[Y/N] ? : y
You are going to reset by regenerating Root Certificate and replace all certificates using VMCA
Continue operation : Option[Y/N] ? : y
Get site nameCompleted [Reset Machine SSL Cert…]
site
Lookup all services
Get service site:911fc2f1-392c-4f1b-84d2-49f91c3046f2
Don\’t update service site:911fc2f1-392c-4f1b-84d2-49f91c3046f2
Get service site:aea34480-46ce-41cf-a7e2-1d15bdcc0ab1
Don\’t update service site:aea34480-46ce-41cf-a7e2-1d15bdcc0ab1
Get service site:8938d34a-c15d-40cc-850d-c9304e68dae4
Don\’t update service site:8938d34a-c15d-40cc-850d-c9304e68dae4
Get service a79a41ce-5342-4493-929e-811383bff203
Don\’t update service a79a41ce-5342-4493-929e-811383bff203
Get service 5fbf2d4b-b430-470c-9851-702610484343
Don\’t update service 5fbf2d4b-b430-470c-9851-702610484343
Get service de3ebc64-8ae4-4235-b1d6-de65883b7096
Don\’t update service de3ebc64-8ae4-4235-b1d6-de65883b7096
Get service 57ad9946-2957-4555-8bfb-10c65ce68c6c_authz
Don\’t update service 57ad9946-2957-4555-8bfb-10c65ce68c6c_authz
Get service 1d4b42a2-d90a-474e-a689-8cca9495c27b
Don\’t update service 1d4b42a2-d90a-474e-a689-8cca9495c27b
Get service 57ad9946-2957-4555-8bfb-10c65ce68c6c
Don\’t update service 57ad9946-2957-4555-8bfb-10c65ce68c6c
Get service 587f612e-a714-484e-aca1-0d2de3ad1e29
Don\’t update service 587f612e-a714-484e-aca1-0d2de3ad1e29
Get service e48d9ffe-2fe1-4559-9222-2269c2d4f0b6
Don\’t update service e48d9ffe-2fe1-4559-9222-2269c2d4f0b6
Get service 01940b7b-f22c-4333-8035-955bbbb91603
Don\’t update service 01940b7b-f22c-4333-8035-955bbbb91603
Get service b54d7f46-73d2-481d-91dc-da8d8e993ef3
Don\’t update service b54d7f46-73d2-481d-91dc-da8d8e993ef3
Get service 85e3c0eb-d952-43d9-a08d-ab161bf6d101
Don\’t update service 85e3c0eb-d952-43d9-a08d-ab161bf6d101
Get service e1a6c0f8-8a91-4d82-ab6e-79287d2b1ed2
Don\’t update service e1a6c0f8-8a91-4d82-ab6e-79287d2b1ed2
Get service be7818e6-911d-4063-b88e-73b5915c0df0
Don\’t update service be7818e6-911d-4063-b88e-73b5915c0df0
Get service 3078f34e-3759-4320-b472-877453ce1b18
Don\’t update service 3078f34e-3759-4320-b472-877453ce1b18
Get service ea0d05e1-02a8-4a2c-9fed-184d750198f4
Don\’t update service ea0d05e1-02a8-4a2c-9fed-184d750198f4
Get service 755cb09e-57c7-4d35-bed1-6f8765249f69
Don\’t update service 755cb09e-57c7-4d35-bed1-6f8765249f69
Get service 217e3e49-6173-454d-9561-3f425c5acddd
Don\’t update service 217e3e49-6173-454d-9561-3f425c5acddd
Get service c7a2c7d1-8aa6-4a35-a653-a78413d754a3
Don\’t update service c7a2c7d1-8aa6-4a35-a653-a78413d754a3
Get service fb3064d8-e453-48da-9b7e-429a3bedf7a8
Don\’t update service fb3064d8-e453-48da-9b7e-429a3bedf7a8
Get service ced86945-2a57-4d42-b9dc-20f483ebf7e9
Don\’t update service ced86945-2a57-4d42-b9dc-20f483ebf7e9
Get service e5dd7481-e3fb-4844-bd0e-d2b365797b62
Don\’t update service e5dd7481-e3fb-4844-bd0e-d2b365797b62
Get service ea152519-4fde-42d6-b801-bcf0e5f6c8f0
Don\’t update service ea152519-4fde-42d6-b801-bcf0e5f6c8f0
Get service 674b549c-6ea0-403e-ad7e-762f9f1f9888
Don\’t update service 674b549c-6ea0-403e-ad7e-762f9f1f9888
Get service 3208647b-438b-4874-b96c-ad4258f7e934
Don\’t update service 3208647b-438b-4874-b96c-ad4258f7e934
Get service 13062b8f-2507-4e96-82fb-300c86336567
Don\’t update service 13062b8f-2507-4e96-82fb-300c86336567
Get service 57ad9946-2957-4555-8bfb-10c65ce68c6c_kv
Don\’t update service 57ad9946-2957-4555-8bfb-10c65ce68c6c_kv
Get service 0f9becdc-a140-44af-9fa7-4e82733eceb0
Don\’t update service 0f9becdc-a140-44af-9fa7-4e82733eceb0
Updated 0 service(s)
Status : 60% Completed [Reset vpxd-extension Cert…]
2024-06-22T12:21:37.568Z Updating certificate for \”com.vmware.vim.eam\” extension
2024-06-22T12:21:37.717Z Updating certificate for \”com.vmware.rbd\” extension
Reset status : 100% Completed [Reset completed successfully]
过会即可正常访问
#以上关于Vcenter证书过期解决方案的相关内容来源网络仅供参考,相关信息请以官方公告为准!
原创文章,作者:CSDN,如若转载,请注明出处:https://www.sudun.com/ask/91627.html