当前位置:   article > 正文

Vcenter6.5的证书过期重启服务报错_vmca name

vmca name

Vcenter6.5的administrator密码过期重启服务报错

1.通过命令重置administrator密码

/usr/lib/vmware-vmdir/bin/vdcadmintool

选择3 Reset account password

输入UPN:administrator@vsphere.local

系统会随机生成新密码

2.通过命令查询是否有证书过期

Signing certificate is not valid" error in VCSA 6.5.x,6.7.x or vCenter Server 7.0.x (76719)

for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

发现SSLROOT_CRLSmachinewebclientvpxdextension证书均过期

3.官方下载检查STS证书脚本和修复脚本

附录:Appliance Shell与bash shell切换

chsh -s /bin/bash root //切换到bash shell

chsh -s /bin/appliancesh root //切回到Appliance Shell

chmod +x checksts.py

chmod +x fixsts.sh

./checksts.py

4.执行修复脚本

./fixsts.sh

service-control --stop --all

service-control --start --all

无法启动服务(因为除STS证书其他过期)

5.重置所有证书

要启动 vSphere Certificate Manager,请执行以下命令

vCenter Server Appliance:/usr/lib/vmware-vmca/bin/certificate-manager

选择8

报错无法启动vxpd服务,查询资料

For vCenter Server Appliance (VCSA):

  1. Take an SSH connection to the affected VCSA machine(s) and execute these commands line by line:

export JAVA_BIN=/usr/java/jre-vmware/bin/java

export CLASSPATH=/opt/vmware/lib64/*:/usr/lib/vmware-sso/commonlib/*

export _SSO_ROOT_CERT_X509=/etc/vmware-sso/keys/ssoserverRoot.crt

export _SSO_SIGNING_LEAF_CERT_X509=/etc/vmware-sso/keys/ssoserverSign.crt

export _SSO_SIGNING_LEAF_CERT_KEY=/etc/vmware-sso/keys/ssoserverSign.key

$JAVA_BIN -cp $CLASSPATH com.vmware.identity.installer.STSInstaller --install --root-cert-path "$_SSO_ROOT_CERT_X509" --cert-path "$_SSO_SIGNING_LEAF_CERT_X509" --private-key-path "$_SSO_SIGNING_LEAF_CERT_KEY"

  1. After you see the message Successfully installed VMware STS , reboot VCSA to ensure IDM/STS references the changed certificate and to allow the other services (VC, IS, NGC) to pick up this change.

官方KB链接:Logging in to vSphere web client fails with error: The login request has expired due to a clock synchronization issue between vSphere Web Client and vCenter Single Sign-On server (2108379) (vmware.com)

3.然后再次启动 vSphere Certificate Manager,选择选项 8 更新证书。

如果确认STS证书未过期,就直接进行其它证书的更新。

请参考KB,更新vc的其它证书:

VMware Knowledge Base

选择选项 8 进行操作,根据提示,在「Hostname」输入vc的FQDN,在VMCA Name输入与Hostname相同的值(如果是以ip部署的vc,请输入ip地址

再次查询成功续订2年

6.登录页面进行验证

vSphere - DSBJvCenter - 摘要

7.删除备份证书

CertificateStatusAlarm - 存在已过期或即将过期的证书/VMware vCenter Server 上触发证书状态更改警报 (68171)

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias bkp___MACHINE_CERT -y

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias bkp_machine -y

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias bkp_vsphere-webclient -y

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias bkp_vpxd -y

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store BACKUP_STORE --alias bkp_vpxd-extension -y

8.删除store

/usr/lib/vmware-vmafd/bin/vecs-cli store delete --name BACKUP_STORE -y

查看store

/usr/lib/vmware-vmafd/bin/vecs-cli store list

9.登录Web页面管理认证

https://10.22.4.50/psc/#?extensionId=psc.core.home

https://10.22.4.50/psc

日志文件位置:

  • vSphere Certificate Manager 将 certificate-manager.log 文件存储在以下位置:
    • Windows vCenter Server 6.xC:\ProgramData\VMware\vCenterServer\logs\vmca\certificate-manager.log
    • vCenter Server Appliance 6.x/7.x/var/log/vmware/vmcad/certificate-manager.log

  • certool.cfg 文件位于:

C:\Program Files\VMware\vCenter Server\vmcad\certool.cfg

  • vCenter Server Appliance 和 Platform Services Controller 设备中的配置文件位置:
    • vCenter Server Appliance/usr/lib/vmware-vmca/share/config/certool.cfg
    • Platform Services Controller 设备:/usr/lib/vmware-vmca/share/config/certool.cfg

通过wincp 的scp上传脚本文件到psc和vc appliance时,会报错:

Host is not communicating for more than 15 seconds. If the problem repeats, try turning off ‘Optimize connection buffer size’.

可切换到bash shell后再次连接即可。

官方KB链接:CertificateStatusAlarm - 存在已过期或即将过期的证书/VMware vCenter Server 上触发证书状态更改警报 (68171)

Verify and resolve expired vCenter Server certificates using command line

VMware Knowledge Base

官方检查VMware Knowledge Base

如何使用 vSphere Certificate Manager 替换 SSL 证书 (2097936) (vmware.com)

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/Monodyee/article/detail/182237
推荐阅读
相关标签
  

闽ICP备14008679号