Vcenter证书过期解决方案（vcenter 证书替换）

情况描述：登录Vcenter时请输入正确的密码。 提示：请输入您的用户名和密码。如果您输入错误的密码，您将收到一条消息，提示密码不正确。

原因：STS证书已过期

1、使用root账号通过ssh登录，输入shell切换到命令行。

2. Checksts.py 可以从https://kb.vmware.com/s/article/79248?lang=en_us 下载。

或者，运行/tmp目录中的checksts.py并保存以下内容（推荐）：

#!/opt/vmware/bin/python

””

版权所有2020-2022 VMware, Inc。保留所有权利- VMware 机密。

作者： Keenan Matheny (keenanm@vmware.com)

””

#####开始导入#####

导入操作系统

导入系统

导入json

导入子流程

重新导入

进口印刷

导入SSL

从日期时间导入日期时间，时间增量

导入文本换行

从编解码器导入编码、解码

导入子流程

时间导入睡眠

尝试：

# Python 3 破解。

将urllib.request 导入为urllib2

将urllib.parse 导入为urlparse

除了导入错误：

导入URLlib2

导入URL分析

sys.path.append(os.environ[\’VMWARE_PYTHON_PATH\’])

从cis.defaults 导入def_by_os

sys.path.append(os.path.join(os.environ[\’VMWARE_CIS_HOME\’],

def_by_os(\’vmware-vmafd/lib64\’, \’vmafdd\’)))

导入vmafd

从OpenSSL.crypto 导入（load_certificate、dump_privatekey、dump_certificate、X509、X509Name、PKey）

从OpenSSL.crypto 导入（TYPE_DSA、TYPE_RSA、FILETYPE_PEM、FILETYPE_ASN1）

今天=datetime.now()

今天=今天.strftime(\’%d-%m-%Y\’)

vcsa_kblink=\’https://kb.vmware.com/s/article/76719\’

win_kblink=\’https://kb.vmware.com/s/article/79263\’

##### 完成导入#####

类parseCert(对象):

# 解析证书

def format_subject_issuer(self, x509name):

项目=[]

对于项目x509name.get_components():

items.append(\’%s=%s\’ % (解码(item[0],\’utf-8\’), 解码(item[1],\’utf-8\’)))

返回\’, \’.join(items)

def format_asn1_date(self, d):

return datetime.strptime(解码(d,\’utf-8\’), \’%Y%m%d%H%M%SZ\’).strftime(\’%Y-%m-%d %H:%M:%S GMT ）\’）

def merge_cert（自身，扩展，证书）:

z=证书.copy()

z.update（扩展）

退货

def __init__(self, certdata):

built_cert=证书数据

self.x509=load_certificate(FILETYPE_PEM,built_cert)

keytype=self.x509.get_pubkey().type()

keytype_list={TYPE_RSA:\’rsaEncryption\’, TYPE_DSA:\’dsaEncryption\’, 408:\’id-ecPublicKey\’}

extension_list=[\’扩展密钥使用\’,

\’密钥使用\’,

\’主题替代名称\’,

\’主题密钥标识符\’,

“授权密钥标识符”]

key_type_str=keytype_list[keytype] 如果keytype 在keytype_list 中，则为“其他”

证书={}

扩展名={}

对于我在范围内（self.x509.get_extension_count（））:

关键=\’关键\’ if self.x509.get_extension(i).get_ritic() else \’\’

如果在extension_list:中解码(self.x509.get_extension(i).get_short_name(),\’utf-8\’)

扩展[解码(self.x509.get_extension(i).get_short_name(),\’utf-8\’)]=self.x509.get_extension(i).__str__()

证书={\’指纹\’: 解码(self.x509.digest(\’sha1\’),\’utf-8\’), \’版本\’: self.x509.get_version(),

第：章：第：章

\”有效开始日期\” : self.format_asn1_date(self.x509.get_notBefore()), \”到期日期\” : self.format_asn1_date(self.x509.get_notAfter()),

\’主题\’ : self.format_subject_issuer(self.x509.get_subject())}

合并=self.merge_cert（扩展名，证书）

cert_output=json.dumps（组合）

self.subjectAltName=合并.get(\’subjectAltName\’)

self.subject=combined.get(\’主题\’)

self.validfrom=合并.get(\’有效日期\’)

self.validuntil=合并.get(\’validuntil\’)

self.thumbprint=合并.get(\’指纹\’)

self.subjectkey=combined.get(\’subjectKeyIdentifier\’)

self.authkey=合并.get(\’authorityKeyIdentifier\’)

self.combined=合并

类parseSts(对象):

def __init__(self):

自我处理=[]

自我结果={}

self.results[\’过期\’]={}

self.results[\’过期\’][\’root\’]=[]

self.results[\’过期\’][\’叶子\’]=[]

self.results[\’有效\’]={}

self.results[\’有效\’][\’根\’]=[]

self.results[\’有效\’][\’叶子\’]=[]

def get_certs(self,force_refresh):

urllib2.getproxies=lambda: {}

vmafd_client=vmafd.client(\’localhost\’)

域名=vmafd_client.GetDomainName()

dc_name=vmafd_client.GetAffinitizedDC(域名，强制刷新)

如果vmafd_client.GetPNID()==dc_name:

网址=(

\’http://localhost:7080/idm/tenant/%s/certificates?scope=TENANT\’

% 域名）

: 其他

网址=(

\’https://%s/idm/租户/%s/证书？范围=租户\’

% (dc_name,域名))

返回json.loads(urllib2.urlopen(url).read().decode(\’utf-8\’))

def check_cert(自身，证书):

证书=parseCert(证书)

certdetail=cert.combined 证书详细信息=cert.combined

# 尝试识别证书类型

如果cert.authkey:

cert_type=\’叶\’

: 其他

cert_type=\’根\’

# 尝试只处理一次证书

如果cert.thumbprint 不在self.processed: 中

# 日期转换

self.processed.append(cert.thumbprint)

exp=cert.validuntil.split()[0]

conv_exp=datetime.strptime(exp, \’%Y-%m-%d\’)

exp=datetime.strftime(conv_exp, \’%d-%m-%Y\’)

now=datetime.strptime(今天， \’%d-%m-%Y\’)

exp_date=datetime.strptime(exp, \’%d-%m-%Y\’)

# 获取距离到期的天数

diff=exp_date – 当前

certdetail[\’daysUntil\’]=diff.days

# 将过期的证书分为叶和根，并将其余的放入好的证书中。

如果exp_date=now:

self.results[\’过期\’][cert_type].append(certdetail)

: 其他

self.results[\’valid\’][cert_type].append(certdetail)

def 运行（自我）:

json=self.get_certs(force_refresh=False)

对于json: 项目

对于项目[\’certificate\’]: 中的证书

self.check_cert(证书[\’编码\’])

返回自身结果

def main():

警告=假

警告信息=\’\’

警告！

STS 证书已过期。请按照OS: 对应的KB 进行操作。

VCSA: %s

Windows:%s

\’\’ % (vcsa_kblink, win_kblink)

parse_sts=parseSts()

结果=parse_sts.execute()

valid_count=len(结果[\’有效\’][\’叶\’]) + len(结果[\’有效\’][\’根\’])

expired_count=len(结果[\’过期\’][\’叶子\’]) + len(结果[\’过期\’][\’根\’])

#### 有效显示####

print(\’\\n%s 有效证书\\n================\’ % valid_count)

打印（\’\\n\\tLEAF CERTS:\\n\’）

if len(结果[\’有效\’][\’叶\’]) 0:

对于生成的证书[\’valid\’][\’leaf\’]:

print(\’\\t[] 证书%s 将在%s 天（%s 年）后过期。\’ % (cert[\’Thumbprint\’], cert[\’daysUntil\’],round(cert[\’daysUntil\’ ]/365) ））

: 其他

打印（\’\\t无\’）

打印（\’\\n\\tROOT CERTS:\\n\’）

if len(结果[\’有效\’][\’根\’]) 0:

对于生成的证书[\’valid\’][\’root\’]:

print(\’\\t[] 证书%s 将在%s 天（%s 年）后过期。\’ % (cert[\’Thumbprint\’], cert[\’daysUntil\’],round(cert[\’daysUntil\’ ]/365) ））

: 其他

打印（\’\\t无\’）

#### 显示已过期####

print(\’\\n%s 过期证书\\n================\’ %expired_count)

打印（\’\\n\\tLEAF CERTS:\\n\’）

if len(结果[\’过期\’][\’叶子\’]) 0:

[\’expired\’][\’leaf\’]: 表示生成的证书

print(\’\\t[] Certificate: %s 已于%s 过期！\’ % (cert.get(\’Thumbprint\’),cert.get(\’有效期至\’)))

继续

: 其他

打印（\’\\t无\’）

打印（\’\\n\\tROOT CERTS:\\n\’）

if len(结果[\’过期\’][\’根\’]) 0:

对于生成的证书[\’expired\’][\’root\’]:

print(\’\\t[] Certificate: %s 已于%s 过期！\’ % (cert.get(\’Thumbprint\’),cert.get(\’有效期至\’)))

继续

: 其他

打印（\’\\t无\’）

如果expired_count 0:

打印（警告信息）

如果__name__==\’__main__\’:

结束（主（））

4.给checkstst.py赋予执行权限

chmod +x checksts.py

5. 运行检测文件checksts.py，查看证书状态。

./checksts.py

1 有效证件

===============

叶CERTS:

没有任何

根证书：

[] 证书D 6:E3:01 的有效期为2890 天（7.0 年）。

1 过期证书

===============

叶CERTS:

[] 证书： AC:4C:28:87:4A:9F:81:AF:89:B4:FC:85:AF:5D:FF:C2:103336 0F6:45:61 于2024 年5 月26 日15:52:15 GMT 过期。

根证书：

没有任何

警告！

STS 证书已过期。请按照OS: 对应的KB 进行操作。

VCSA: https://kb.vmware.com/s/article/76719

Windows: https://kb.vmware.com/s/article/79263

可以看到STS证书已经过期。

警告！

STS 证书已过期。请按照OS: 对应的KB 进行操作。

VCSA: https://kb.vmware.com/s/article/76719

Windows: https://kb.vmware.com/s/article/79263

6.从官方https://kb.vmware.com/s/article/76719下载fixsts.sh。

或者，在/tmp 下创建一个新的fixsts.sh 脚本文件，并将以下代码复制到此处。

#!/bin/bash

# 版权所有(c) 2020-2021 VMware, Inc。保留所有权利。

#VMwareConfidential

#

# 从受影响的PSC/VC 运行此命令

#

#NOTE: 这适用于外部和嵌入式PSC

# 该脚本执行以下操作

#1: 重新生成STS证书

#

#需要什么？

# 1: VC/PSC 离线快照

#2: SSO 管理员密码

NODETYPE=$(cat /etc/vmware/deployment.node.type)

if [ \’$NODETYPE\’=\’管理\’ ];

echo \’已检测到此节点是具有外部PSC 的vCenter 服务器。 \’

echo \’从具有嵌入式PSC 或外部PSC 的vCenter 运行此脚本\’

1号出口

菲

if [ \’$NODETYPE\’=\’嵌入\’ ] [ ! -f /usr/lib/vmware-vmdir/sbin/vmdird ];

echo \’该节点已被检测为vCenter 网关\’

echo \”Please run this script from a vCenter with embedded PSC, or an external PSC\”
exit 1
fi
echo \”NOTE: This works on external and embedded PSCs\”
echo \”This script will do the following\”
echo \”1: Regenerate STS certificate\”
echo \”What is needed?\”
echo \”1: Offline snapshots of VCs/PSCs\”
echo \”2: SSO Admin Password\”
echo \”IMPORTANT: This script should only be run on a single PSC per SSO domain\”
mkdir -p /tmp/vmware-fixsts
SCRIPTPATH=\”/tmp/vmware-fixsts\”
LOGFILE=\”$SCRIPTPATH/fix_sts_cert.log\”
echo \”==================================\” | tee -a $LOGFILE
echo \”Resetting STS certificate for $HOSTNAME started on $(date)\” | tee -a $LOGFILE
echo \”\”| tee -a $LOGFILE
echo \”\”
DN=$(/opt/likewise/bin/lwregshell list_values \'[HKEY_THIS_MACHINE\\Services\\vmdir]\’ | grep dcAccountDN | awk \'{$1=$2=$3=\”\”;print $0}\’|tr -d \’\”\’|sed -e \’s/^[ \\t]*//\’)
echo \”Detected DN: $DN\” | tee -a $LOGFILE
PNID=$(/opt/likewise/bin/lwregshell list_values \'[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]\’ | grep PNID | awk \'{print $4}\’|tr -d \’\”\’)
echo \”Detected PNID: $PNID\” | tee -a $LOGFILE
PSC=$(/opt/likewise/bin/lwregshell list_values \'[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]\’ | grep DCName | awk \'{print $4}\’|tr -d \’\”\’)
echo \”Detected PSC: $PSC\” | tee -a $LOGFILE
DOMAIN=$(/opt/likewise/bin/lwregshell list_values \'[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]\’ | grep DomainName | awk \'{print $4}\’|tr -d \’\”\’)
echo \”Detected SSO domain name: $DOMAIN\” | tee -a $LOGFILE
SITE=$(/opt/likewise/bin/lwregshell list_values \'[HKEY_THIS_MACHINE\\Services\\vmafd\\Parameters]\’ | grep SiteName | awk \'{print $4}\’|tr -d \’\”\’)
MACHINEID=$(/usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-id –server-name localhost)
echo \”Detected Machine ID: $MACHINEID\” | tee -a $LOGFILE
IPADDRESS=$(ifconfig | grep eth0 -A1 | grep \”inet addr\” | awk -F \’:\’ \'{print $2}\’ | awk -F \’ \’ \'{print $1}\’)
echo \”Detected IP Address: $IPADDRESS\” | tee -a $LOGFILE
DOMAINCN=\”dc=$(echo \”$DOMAIN\” | sed \’s/\\./,dc=/g\’)\”
echo \”Domain CN: $DOMAINCN\”
ADMIN=\”cn=administrator,cn=users,$DOMAINCN\”
USERNAME=\”administrator@${DOMAIN^^}\”
ROOTCERTDATE=$(openssl x509 -in /var/lib/vmware/vmca/root.cer -text | grep \”Not After\” | awk -F \’ \’ \'{print $7,$4,$5}\’)
TODAYSDATE=$(date +\”%Y %b %d\”)
echo \”#\” > $SCRIPTPATH/certool.cfg
echo \”# Template file for a CSR request\” >> $SCRIPTPATH/certool.cfg
echo \”#\” >> certool.cfg
echo \”# Country is needed and has to be 2 characters\” >> $SCRIPTPATH/certool.cfg
echo \”Country = DS\” >> $SCRIPTPATH/certool.cfg
echo \”Name = $PNID\” >> $SCRIPTPATH/certool.cfg
echo \”Organization = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”OrgUnit = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”State = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”Locality = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”IPAddress = $IPADDRESS\” >> $SCRIPTPATH/certool.cfg
echo \”Email = email@acme.com\” >> $SCRIPTPATH/certool.cfg
echo \”Hostname = $PNID\” >> $SCRIPTPATH/certool.cfg
echo \”==================================\” | tee -a $LOGFILE
echo \”==================================\” | tee -a $LOGFILE
echo \”\”
echo \”Detected Root\’s certificate expiration date: $ROOTCERTDATE\” | tee -a $LOGFILE
echo \”Detected today\’s date: $TODAYSDATE\” | tee -a $LOGFILE
echo \”==================================\” | tee -a $LOGFILE
flag=0
if [[ $TODAYSDATE > $ROOTCERTDATE ]];
then
echo \”IMPORTANT: Root certificate is expired, so it will be replaced\” | tee -a $LOGFILE
flag=1
mkdir /certs && cd /certs
cp $SCRIPTPATH/certool.cfg /certs/vmca.cfg
/usr/lib/vmware-vmca/bin/certool –genselfcacert –outprivkey /certs/vmcacert.key –outcert /certs/vmcacert.crt –config /certs/vmca.cfg
/usr/lib/vmware-vmca/bin/certool –rootca –cert /certs/vmcacert.crt –privkey /certs/vmcacert.key
fi
echo \”#\” > $SCRIPTPATH/certool.cfg
echo \”# Template file for a CSR request\” >> $SCRIPTPATH/certool.cfg
echo \”#\” >> $SCRIPTPATH/certool.cfg
echo \”# Country is needed and has to be 2 characters\” >> $SCRIPTPATH/certool.cfg
echo \”Country = DS\” >> $SCRIPTPATH/certool.cfg
echo \”Name = STS\” >> $SCRIPTPATH/certool.cfg
echo \”Organization = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”OrgUnit = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”State = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”Locality = VMware\” >> $SCRIPTPATH/certool.cfg
echo \”IPAddress = $IPADDRESS\” >> $SCRIPTPATH/certool.cfg
echo \”Email = email@acme.com\” >> $SCRIPTPATH/certool.cfg
echo \”Hostname = $PNID\” >> $SCRIPTPATH/certool.cfg
echo \”\”
echo \”Exporting and generating STS certificate\” | tee -a $LOGFILE
echo \”\”
cd $SCRIPTPATH
/usr/lib/vmware-vmca/bin/certool –server localhost –genkey –privkey=sts.key –pubkey=sts.pub
/usr/lib/vmware-vmca/bin/certool –gencert –cert=sts.cer –privkey=sts.key –config=$SCRIPTPATH/certool.cfg
openssl x509 -outform der -in sts.cer -out sts.der
CERTS=$(csplit -f root /var/lib/vmware/vmca/root.cer \’/—–BEGIN CERTIFICATE—–/\’ \'{*}\’ | wc -l)
openssl pkcs8 -topk8 -inform pem -outform der -in sts.key -out sts.key.der -nocrypt
i=1
until [ $i -eq $CERTS ]
do
openssl x509 -outform der -in root0$i -out vmca0$i.der
((i++))
done
echo \”\”
echo \”\”
read -s -p \”Enter password for administrator@$DOMAIN: \” DOMAINPASSWORD
echo \”\”
# Find the highest tenant credentials index
MAXCREDINDEX=1
while read -r line
do
INDEX=$(echo \”$line\” | tr -dc \’0-9\’)
if [ $INDEX -gt $MAXCREDINDEX ]
then
MAXCREDINDEX=$INDEX
fi
done < <(/opt/likewise/bin/ldapsearch -h localhost -p 389 -b \”cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” \”(objectclass=vmwSTSTenantCredential)\” cn | grep cn:)
# Sequentially search for tenant credentials up to max index and delete if found
echo \”Highest tenant credentials index : $MAXCREDINDEX\” | tee -a $LOGFILE
i=1
if [ ! -z $MAXCREDINDEX ]
then
until [ $i -gt $MAXCREDINDEX ]
do
echo \”Exporting tenant $i to $SCRIPTPATH\” | tee -a $LOGFILE
echo \”\”
ldapsearch -h localhost -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” -b \”cn=TenantCredential-$i,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” > $SCRIPTPATH/tenantcredential-$i.ldif
if [ $? -eq 0 ]
then
echo \”Deleting tenant $i\” | tee -a $LOGFILE
ldapdelete -h localhost -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” \”cn=TenantCredential-$i,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” | tee -a $LOGFILE
else
echo \”Tenant $i not found\” | tee -a $LOGFILE
echo \”\”
fi
((i++))
done
fi
echo \”\”
# Find the highest trusted cert chains index
MAXCERTCHAINSINDEX=1
while read -r line
do
INDEX=$(echo \”$line\” | tr -dc \’0-9\’)
if [ $INDEX -gt $MAXCERTCHAINSINDEX ]
then
MAXCERTCHAINSINDEX=$INDEX
fi
done < <(/opt/likewise/bin/ldapsearch -h localhost -p 389 -b \”cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” \”(objectclass=vmwSTSTenantTrustedCertificateChain)\” cn | grep cn:)
# Sequentially search for trusted cert chains up to max index and delete if found
echo \”Highest trusted cert chains index: $MAXCERTCHAINSINDEX\” | tee -a $LOGFILE
i=1
if [ ! -z $MAXCERTCHAINSINDEX ]
then
until [ $i -gt $MAXCERTCHAINSINDEX ]
do
echo \”Exporting trustedcertchain $i to $SCRIPTPATH\” | tee -a $LOGFILE
echo \”\”
ldapsearch -h localhost -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” -b \”cn=TrustedCertChain-$i,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” > $SCRIPTPATH/trustedcertchain-$i.ldif
if [ $? -eq 0 ]
then
echo \”Deleting trustedcertchain $i\” | tee -a $LOGFILE
ldapdelete -h localhost -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” \”cn=TrustedCertChain-$i,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” | tee -a $LOGFILE
else
echo \”Trusted cert chain $i not found\” | tee -a $LOGFILE
fi
echo \”\”
((i++))
done
fi
echo \”\”
i=1
echo \”dn: cn=TenantCredential-1,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” > sso-sts.ldif
echo \”changetype: add\” >> sso-sts.ldif
echo \”objectClass: vmwSTSTenantCredential\” >> sso-sts.ldif
echo \”objectClass: top\” >> sso-sts.ldif
echo \”cn: TenantCredential-1\” >> sso-sts.ldif
echo \”userCertificate:< file:sts.der\” >> sso-sts.ldif
until [ $i -eq $CERTS ]
do
echo \”userCertificate:< file:vmca0$i.der\” >> sso-sts.ldif
((i++))
done
echo \”vmwSTSPrivateKey:< file:sts.key.der\” >> sso-sts.ldif
echo \”\” >> sso-sts.ldif
echo \”dn: cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=$DOMAIN,cn=Tenants,cn=IdentityManager,cn=Services,$DOMAINCN\” >> sso-sts.ldif
echo \”changetype: add\” >> sso-sts.ldif
echo \”objectClass: vmwSTSTenantTrustedCertificateChain\” >> sso-sts.ldif
echo \”objectClass: top\” >> sso-sts.ldif
echo \”cn: TrustedCertChain-1\” >> sso-sts.ldif
echo \”userCertificate:< file:sts.der\” >> sso-sts.ldif
i=1
until [ $i -eq $CERTS ]
do
echo \”userCertificate:< file:vmca0$i.der\” >> sso-sts.ldif
((i++))
done
echo \”\”
echo \”Applying newly generated STS certificate to SSO domain\” | tee -a $LOGFILE
/opt/likewise/bin/ldapmodify -x -h localhost -p 389 -D \”cn=administrator,cn=users,$DOMAINCN\” -w \”$DOMAINPASSWORD\” -f sso-sts.ldif | tee -a $LOGFILE
echo \”\”
echo \”Replacement finished – Please restart services on all vCenters and PSCs in your SSO domain\” | tee -a $LOGFILE
echo \”==================================\” | tee -a $LOGFILE
echo \”IMPORTANT: In case you\’re using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure\” | tee -a $LOGFILE
echo \”==================================\” | tee -a $LOGFILE
echo \”==================================\” | tee -a $LOGFILE
if [ $flag == 1 ]
then
echo \”Since your Root certificate was expired and was replaced, you will need to replace your MachineSSL and Solution User certificates\” | tee -a $LOGFILE
echo \”You can do so following this KB: https://kb.vmware.com/s/article/2097936\” | tee -a $LOGFILE
fi

7.给fixsts.sh执行权限

chmod +x fixsts.sh

8.运行脚本./fixsts.sh

按要求输入密码

9.重启服务

service-control –stop –all && service-control –start –all

结果最后一行：
Service-control failed. Error Failed to start vmon services.vmon-cli RC=1, stderr=Failed to start sca, vpxd-svcs, cm, vapi-endpoint services. Error: Operation timed out

会发现有的服务无法启动，没有启动起来的服务直接无视，因为证书还没替换

重新分配证书

执行以下命令替换证书配置

/usr/lib/vmware-vmca/bin/certificate-manager

输入“8”，按要求输入信息，可回车直接跳过按默认值设置，如下为参考（本示例vcenter地址为192.168.167.170）：

root@photon-machine [ /tmp ]# /usr/lib/vmware-vmca/bin/certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.5 Certificate Manager *** |
| |
| — Select Operation — |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 8
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y
Please provide valid SSO and VC priviledged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:administrator@vsphere.local
Enter password:
certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : y
Press Enter key to skip optional parameters or use Previous value.
Enter proper value for \’Country\’ [Previous value : US] :
Enter proper value for \’Name\’ [Previous value : CA] :
Enter proper value for \’Organization\’ [Previous value : VMware] :
Enter proper value for \’OrgUnit\’ [Previous value : VMware Engineering] :
Enter proper value for \’State\’ [Previous value : California] :
Enter proper value for \’Locality\’ [Previous value : Palo Alto] :
Enter proper value for \’IPAddress\’ (Provide comma separated values for multiple IP addresses) [optional] : 192.168.167.170
Enter proper value for \’Email\’ [Previous value : email@acme.com] :
Enter proper value for \’Hostname\’ (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : 192.168.167.170
Enter proper value for VMCA \’Name\’ :192.168.167.170
Continue operation : Option[Y/N] ? : y
You are going to reset by regenerating Root Certificate and replace all certificates using VMCA
Continue operation : Option[Y/N] ? : y
Get site nameCompleted [Reset Machine SSL Cert…]
site
Lookup all services
Get service site:911fc2f1-392c-4f1b-84d2-49f91c3046f2
Don\’t update service site:911fc2f1-392c-4f1b-84d2-49f91c3046f2
Get service site:aea34480-46ce-41cf-a7e2-1d15bdcc0ab1
Don\’t update service site:aea34480-46ce-41cf-a7e2-1d15bdcc0ab1
Get service site:8938d34a-c15d-40cc-850d-c9304e68dae4
Don\’t update service site:8938d34a-c15d-40cc-850d-c9304e68dae4
Get service a79a41ce-5342-4493-929e-811383bff203
Don\’t update service a79a41ce-5342-4493-929e-811383bff203
Get service 5fbf2d4b-b430-470c-9851-702610484343
Don\’t update service 5fbf2d4b-b430-470c-9851-702610484343
Get service de3ebc64-8ae4-4235-b1d6-de65883b7096
Don\’t update service de3ebc64-8ae4-4235-b1d6-de65883b7096
Get service 57ad9946-2957-4555-8bfb-10c65ce68c6c_authz
Don\’t update service 57ad9946-2957-4555-8bfb-10c65ce68c6c_authz
Get service 1d4b42a2-d90a-474e-a689-8cca9495c27b
Don\’t update service 1d4b42a2-d90a-474e-a689-8cca9495c27b
Get service 57ad9946-2957-4555-8bfb-10c65ce68c6c
Don\’t update service 57ad9946-2957-4555-8bfb-10c65ce68c6c
Get service 587f612e-a714-484e-aca1-0d2de3ad1e29
Don\’t update service 587f612e-a714-484e-aca1-0d2de3ad1e29
Get service e48d9ffe-2fe1-4559-9222-2269c2d4f0b6
Don\’t update service e48d9ffe-2fe1-4559-9222-2269c2d4f0b6
Get service 01940b7b-f22c-4333-8035-955bbbb91603
Don\’t update service 01940b7b-f22c-4333-8035-955bbbb91603
Get service b54d7f46-73d2-481d-91dc-da8d8e993ef3
Don\’t update service b54d7f46-73d2-481d-91dc-da8d8e993ef3
Get service 85e3c0eb-d952-43d9-a08d-ab161bf6d101
Don\’t update service 85e3c0eb-d952-43d9-a08d-ab161bf6d101
Get service e1a6c0f8-8a91-4d82-ab6e-79287d2b1ed2
Don\’t update service e1a6c0f8-8a91-4d82-ab6e-79287d2b1ed2
Get service be7818e6-911d-4063-b88e-73b5915c0df0
Don\’t update service be7818e6-911d-4063-b88e-73b5915c0df0
Get service 3078f34e-3759-4320-b472-877453ce1b18
Don\’t update service 3078f34e-3759-4320-b472-877453ce1b18
Get service ea0d05e1-02a8-4a2c-9fed-184d750198f4
Don\’t update service ea0d05e1-02a8-4a2c-9fed-184d750198f4
Get service 755cb09e-57c7-4d35-bed1-6f8765249f69
Don\’t update service 755cb09e-57c7-4d35-bed1-6f8765249f69
Get service 217e3e49-6173-454d-9561-3f425c5acddd
Don\’t update service 217e3e49-6173-454d-9561-3f425c5acddd
Get service c7a2c7d1-8aa6-4a35-a653-a78413d754a3
Don\’t update service c7a2c7d1-8aa6-4a35-a653-a78413d754a3
Get service fb3064d8-e453-48da-9b7e-429a3bedf7a8
Don\’t update service fb3064d8-e453-48da-9b7e-429a3bedf7a8
Get service ced86945-2a57-4d42-b9dc-20f483ebf7e9
Don\’t update service ced86945-2a57-4d42-b9dc-20f483ebf7e9
Get service e5dd7481-e3fb-4844-bd0e-d2b365797b62
Don\’t update service e5dd7481-e3fb-4844-bd0e-d2b365797b62
Get service ea152519-4fde-42d6-b801-bcf0e5f6c8f0
Don\’t update service ea152519-4fde-42d6-b801-bcf0e5f6c8f0
Get service 674b549c-6ea0-403e-ad7e-762f9f1f9888
Don\’t update service 674b549c-6ea0-403e-ad7e-762f9f1f9888
Get service 3208647b-438b-4874-b96c-ad4258f7e934
Don\’t update service 3208647b-438b-4874-b96c-ad4258f7e934
Get service 13062b8f-2507-4e96-82fb-300c86336567
Don\’t update service 13062b8f-2507-4e96-82fb-300c86336567
Get service 57ad9946-2957-4555-8bfb-10c65ce68c6c_kv
Don\’t update service 57ad9946-2957-4555-8bfb-10c65ce68c6c_kv
Get service 0f9becdc-a140-44af-9fa7-4e82733eceb0
Don\’t update service 0f9becdc-a140-44af-9fa7-4e82733eceb0
Updated 0 service(s)
Status : 60% Completed [Reset vpxd-extension Cert…]
2024-06-22T12:21:37.568Z Updating certificate for \”com.vmware.vim.eam\” extension
2024-06-22T12:21:37.717Z Updating certificate for \”com.vmware.rbd\” extension
Reset status : 100% Completed [Reset completed successfully]

过会即可正常访问

#以上关于Vcenter证书过期解决方案的相关内容来源网络仅供参考，相关信息请以官方公告为准！