vc密码正确无法登陆。证书过期。处理。_vc证书过期-爱代码爱编程
错误提示:
503 Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http20NamedPipeServiceSpecE:0x00007fecb000b770] _serverNamespace = / action = Allow _pipeName =/var/run/vmware/vpxd-webserver-pipe)
进入ssh界面
检查chip空间十分正常:
root@record [ ~ ]# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 7.9G 0 7.9G 0% /dev
tmpfs 7.9G 12K 7.9G 1% /dev/shm
tmpfs 7.9G 700K 7.9G 1% /run
tmpfs 7.9G 0 7.9G 0% /sys/fs/cgroup
/dev/sda3 11G 5.5G 4.7G 55% /
tmpfs 7.9G 18M 7.9G 1% /tmp
/dev/mapper/netdump_vg-netdump 985M 1.3M 932M 1% /storage/netdump
/dev/mapper/log_vg-log 9.8G 3.1G 6.2G 34% /storage/log
/dev/mapper/imagebuilder_vg-imagebuilder 9.8G 23M 9.2G 1% /storage/imagebuilder
/dev/mapper/db_vg-db 9.8G 242M 9.0G 3% /storage/db
/dev/mapper/core_vg-core 50G 52M 47G 1% /storage/core
/dev/mapper/autodeploy_vg-autodeploy 9.8G 23M 9.2G 1% /storage/autodeploy
/dev/mapper/updatemgr_vg-updatemgr 99G 98M 94G 1% /storage/updatemgr
/dev/mapper/dblog_vg-dblog 15G 230M 14G 2% /storage/dblog
/dev/mapper/seat_vg-seat 25G 1.3G 22G 6% /storage/seat
/dev/sda1 120M 28M 87M 25% /boot
检查证书是否过期:
root@record [ /tmp1 ]# python checksts.py
2 VALID CERTS
================
LEAF CERTS:
[] Certificate 77:B0:98:2C:F6:A5:76:78:79:97:47:74:05:BE:82:9C:1A:CA:52:95 will expire in 730 days (2.0 years).
ROOT CERTS:
[] Certificate 0A:95:66:2A:38:52:F2:24:17:D9:BC:66:0C:E8:5C:C2:31:80:54:05 will expire in 2915 days (7.0 years).
0 EXPIRED CERTS
================
LEAF CERTS:
None
ROOT CERTS:
None
root@record [ /tmp1 ]# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
STORE MACHINE_SSL_CERT
Alias : __MACHINE_CERT
Not After : Aug 27 21:14:59 2021 GMT
STORE TRUSTED_ROOTS
Alias : 0a95662a3852f22417d9bc660ce85cc231805405
Not After : Aug 22 09:14:26 2029 GMT
STORE TRUSTED_ROOT_CRLS
Alias : 615ffd35bd0c86bd4e1a482b975fca208fc422d6
STORE machine
Alias : machine
Not After : Aug 27 09:05:53 2021 GMT
STORE vsphere-webclient
Alias : vsphere-webclient
Not After : Aug 27 09:05:58 2021 GMT
STORE vpxd
Alias : vpxd
Not After : Aug 27 09:06:05 2021 GMT
STORE vpxd-extension
Alias : vpxd-extension
Not After : Aug 27 09:06:06 2021 GMT
STORE SMS
Alias : sms_self_signed
Not After : Aug 28 09:20:48 2029 GMT
STORE BACKUP_STORE
Alias : bkp___MACHINE_CERT
Not After : Aug 27 21:14:59 2021 GMT
Alias : bkp_machine
Not After : Aug 27 09:05:53 2021 GMT
Alias : bkp_vsphere-webclient
Not After : Aug 27 09:05:58 2021 GMT
Alias : bkp_vpxd
Not After : Aug 27 09:06:05 2021 GMT
Alias : bkp_vpxd-extension
Not After : Aug 27 09:06:06 2021 GMT
发现证书过期:
查询服务名称信息
root@record [ /tmp1 ]# /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
192.16.86.240
更新证书
root@record [ /tmp1 ]# /usr/lib/vmware-vmca/bin/certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.5 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 8
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : Y
Please provide valid SSO and VC priviledged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:Administrator@vsphere.local
Enter password:
Please configure certool.cfg with proper values before proceeding to next step.
Press Enter key to skip optional parameters or use Default value.
Enter proper value for 'Country' [Default value : US] :
Enter proper value for 'Name' [Default value : CA] :
Enter proper value for 'Organization' [Default value : VMware] :
Enter proper value for 'OrgUnit' [Default value : VMware Engineering] :
Enter proper value for 'State' [Default value : California] :
Enter proper value for 'Locality' [Default value : Palo Alto] :
Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 192.16.86.240
Enter proper value for 'Email' [Default value : email@acme.com] :
Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : 192.16.86.240
Enter proper value for VMCA 'Name' :192.16.86.240
Continue operation : Option[Y/N] ? : y
You are going to reset by regenerating Root Certificate and replace all certificates using VMCA
Continue operation : Option[Y/N] ? : y
Get site nameCompleted [Reset Machine SSL Cert...]
Reset status : 100% Completed [Reset completed successfully]
root@record [ /tmp1 ]# reboot -f
root@record [ /tmp1 ]# ./fixsts.sh
NOTE: This works on external and embedded PSCs
This script will do the following
1: Regenerate STS certificate
What is needed?
1: Offline snapshots of VCs/PSCs
2: SSO Admin Password
IMPORTANT: This script should only be run on a single PSC per SSO domain
==================================
Resetting STS certificate for record started on Sat Sep 4 14:55:30 CST 2021
Detected DN: cn=192.16.86.240,ou=Domain Controllers,dc=vsphere,dc=local
Detected PNID: 192.16.86.240
Detected PSC: 192.16.86.240
Detected SSO domain name: vsphere.local
Detected Machine ID: 1cd37eb5-541c-40ac-9d6f-f49c41f35515
Detected IP Address: 192.16.86.240
Domain CN: dc=vsphere,dc=local
==================================
==================================
Detected Root's certificate expiration date: 2029 Aug 29
Detected today's date: 2021 Sep 4
==================================
Exporting and generating STS certificate
Status : Success
Using config file : /tmp/vmware-fixsts/certool.cfg
Status : Success
Enter password for administrator@vsphere.local:
Amount of tenant credentials: 1
Exporting tenant 1 to /tmp/vmware-fixsts
Deleting tenant 1
Amount of trustedcertchains: 1
Exporting trustedcertchain 1 to /tmp/vmware-fixsts
Deleting trustedcertchain 1
Applying newly generated STS certificate to SSO domain
adding new entry "cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local"
adding new entry "cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local"
Replacement finished - Please restart services on all vCenters and PSCs in your SSO domain
==================================
IMPORTANT: In case you're using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure
==================================
==================================
root@record [ /tmp1 ]# reboot -f