Vmware Vcenter7.0证书web续期发生错误

写过一篇  金牌会员 | 2024-12-12 20:54:42 | 显示全部楼层 | 阅读模式
打印 上一主题 下一主题
楼主

主题 821|帖子 821|积分 2463

1. 故障描述

vSphere Client 版本 7.0.2.00200
vCenter _MACHINE_CERT快到期了,通过web界面更新证书失败
第一步先如许,重新续订一下证书

续订发生错误

2. 办理办法

2.1. 前提工作

登岸ssh到vcenter,重新天生证书
先关掉HA,不然证书管剖析报错。
  1. Connected to service
  3.     * List APIs: "help api list"
  4.     * List Plugins: "help pi list"
  5.     * Launch BASH: "shell"
  7. Command> shell
  8. Shell access is granted to root
  9. root@localhost [ ~ ]# cd /usr/lib/vmware-vmca/bin/
  10. root@localhost [ /usr/lib/vmware-vmca/bin ]# /usr/lib/vmware-vmca/bin/certificate-manager
  12. Certificate Manager tool do not support vCenter HA systems
复制代码
PSSSSSSSS:记得vCenter做备份,做快照
2.2. 天生盘算机ssl证书

天生证书,选择第三个(PS,如果没有域名的,一定要写IP,不然很容易卡在85%,服务不能起来)
  1. root@localhost [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
  2.                  _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
  3.                 |                                                                     |
  4.                 |      *** Welcome to the vSphere 6.8 Certificate Manager  ***        |
  5.                 |                                                                     |
  6.                 |                   -- Select Operation --                            |
  7.                 |                                                                     |
  8.                 |      1. Replace Machine SSL certificate with Custom Certificate     |
  9.                 |                                                                     |
  10.                 |      2. Replace VMCA Root certificate with Custom Signing           |
  11.                 |         Certificate and replace all Certificates                    |
  12.                 |                                                                     |
  13.                 |      3. Replace Machine SSL certificate with VMCA Certificate       |
  14.                 |                                                                     |
  15.                 |      4. Regenerate a new VMCA Root Certificate and                  |
  16.                 |         replace all certificates                                    |
  17.                 |                                                                     |
  18.                 |      5. Replace Solution user certificates with                     |
  19.                 |         Custom Certificate                                          |
  20.                 |         NOTE: Solution user certs will be deprecated in a future    |
  21.                 |         release of vCenter. Refer to release notes for more details.|
  22.                 |                                                                     |
  23.                 |      6. Replace Solution user certificates with VMCA certificates   |
  24.                 |                                                                     |
  25.                 |      7. Revert last performed operation by re-publishing old        |
  26.                 |         certificates                                                |
  27.                 |                                                                     |
  28.                 |      8. Reset all Certificates                                      |
  29.                 |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
  30. Note : Use Ctrl-D to exit.
  31. Option[1 to 8]: 3
  33. Please provide valid SSO and VC privileged user credential to perform certificate operations.
  34. Enter username [Administrator@vsphere.local]:
  35. Enter password:
  36. certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : y
  38. Press Enter key to skip optional parameters or use Previous value.
  40. Enter proper value for 'Country' [Previous value : CN] :
  42. Enter proper value for 'Name' [Previous value : CA] :
  44. Enter proper value for 'Organization' [Previous value : VMware] :
  46. Enter proper value for 'OrgUnit' [Previous value : VMware Engineering] :
  48. Enter proper value for 'State' [Previous value : California] : gd
  50. Enter proper value for 'Locality' [Previous value : Palo Alto] : gz
  52. Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : XX.XX.XX.XX
  54. Enter proper value for 'Email' [Previous value : email@acme.com] : q@qq.cc
  56. Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : XX.XX.XX.XX
  58. Enter proper value for VMCA 'Name' :XX.XX.XX.XX
  60. You are going to regenerate Machine SSL cert using VMCA
  61. Continue operation : Option[Y/N] ? : y
  62. Get site nameompleted [Replacing Machine SSL Cert...]                  
  63. default-first-site
  64. Lookup all services
  65. Get service default-first-site:721f0c08-f5fe-4233-aca8-adb8de27427b
  66. Update service default-first-site:721f0c08-f5fe-4233-aca8-adb8de27427b; spec: /tmp/svcspec_nmq8ssku
  67. Get service default-first-site:a8fa2cf1-a539-4327-aa48-c33761a538a4
  68. Update service default-first-site:a8fa2cf1-a539-4327-aa48-c33761a538a4; spec: /tmp/svcspec_o_gl7c_2
  69. Get service default-first-site:204a2a4e-223e-46d6-93e2-fec0c90393c4
  70. Update service default-first-site:204a2a4e-223e-46d6-93e2-fec0c90393c4; spec: /tmp/svcspec__2p8luju
  71. Get service 79e91659-12a1-427b-92e5-11f1cbc2c150
  72. Update service 79e91659-12a1-427b-92e5-11f1cbc2c150; spec: /tmp/svcspec_8zwpgcef
  73. Get service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vrops
  74. Don't update service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vrops
  75. Get service 0cb00c88-bb60-478c-9737-802019c5708a
  76. Update service 0cb00c88-bb60-478c-9737-802019c5708a; spec: /tmp/svcspec_k5szxjgs
  77. Get service 1ee5c2aa-fde0-489a-8f95-f701f84b44c9
  78. Update service 1ee5c2aa-fde0-489a-8f95-f701f84b44c9; spec: /tmp/svcspec_sdbbikhr
  79. Get service 5f15b57d-8269-47d4-88af-c9aab1fd223d
  80. Update service 5f15b57d-8269-47d4-88af-c9aab1fd223d; spec: /tmp/svcspec_mwgz82tz
  81. Get service 56e494d3-f758-461a-8337-e309d1e2d0b4
  82. Update service 56e494d3-f758-461a-8337-e309d1e2d0b4; spec: /tmp/svcspec_b6fwtzz6
  83. Get service d3426061-6261-456f-b5b2-e70d3e56c69e
  84. Update service d3426061-6261-456f-b5b2-e70d3e56c69e; spec: /tmp/svcspec_o08ocymw
  85. Get service 1c5fe660-5abd-453d-9f18-d21ca1a615b9
  86. Update service 1c5fe660-5abd-453d-9f18-d21ca1a615b9; spec: /tmp/svcspec_v__tqn34
  87. Get service 8ccf37e5-c01f-491b-88d1-fd67d6377c2f
  88. Update service 8ccf37e5-c01f-491b-88d1-fd67d6377c2f; spec: /tmp/svcspec_yczoj_f9
  89. Get service 4d101d2f-a50f-4ffd-b03a-f3728817b340
  90. Update service 4d101d2f-a50f-4ffd-b03a-f3728817b340; spec: /tmp/svcspec_wyhs5pfy
  91. Get service 761c8d6c-131f-4136-9e0e-4945917a5607
  92. Update service 761c8d6c-131f-4136-9e0e-4945917a5607; spec: /tmp/svcspec_gjkmay7h
  93. Get service ec372f25-38cf-4cd8-ac92-6ebeff0ff85e
  94. Update service ec372f25-38cf-4cd8-ac92-6ebeff0ff85e; spec: /tmp/svcspec_u4c16zhs
  95. Get service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vsphere.client
  96. Don't update service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vsphere.client
  97. Get service e97549a3-2aa5-4e47-a81b-5b6490837d43
  98. Update service e97549a3-2aa5-4e47-a81b-5b6490837d43; spec: /tmp/svcspec_h26ke7t5
  99. Get service 279f5d2f-f375-41d6-b5d3-8a7e397fb6c8
  100. Update service 279f5d2f-f375-41d6-b5d3-8a7e397fb6c8; spec: /tmp/svcspec_hw2tz45w
  101. Get service 4730664d-0fe7-4e70-b827-bcdf1686d17d
  102. Update service 4730664d-0fe7-4e70-b827-bcdf1686d17d; spec: /tmp/svcspec_mn19ltn_
  103. Get service e64650fc-800d-4855-9b60-bd591562102b
  104. Update service e64650fc-800d-4855-9b60-bd591562102b; spec: /tmp/svcspec_8iz8nl1t
  105. Get service 0c872fd2-b582-4172-8b7e-465f6de28b76
  106. Update service 0c872fd2-b582-4172-8b7e-465f6de28b76; spec: /tmp/svcspec_f3957lva
  107. Get service bf46ae3e-9d26-459a-9703-25000ba81e09
  108. Update service bf46ae3e-9d26-459a-9703-25000ba81e09; spec: /tmp/svcspec_sfje8un0
  109. Get service 430891f7-bb3c-475a-9331-bdb671f1b415
  110. Update service 430891f7-bb3c-475a-9331-bdb671f1b415; spec: /tmp/svcspec_g91d7d9p
  111. Get service 1ee5233a-0737-4b71-b74e-28105ff9361b
  112. Update service 1ee5233a-0737-4b71-b74e-28105ff9361b; spec: /tmp/svcspec_184jc1s2
  113. Get service 6cc99f96-ee9a-406b-9018-2414b837c442_kv
  114. Update service 6cc99f96-ee9a-406b-9018-2414b837c442_kv; spec: /tmp/svcspec_2rjbyjlj
  115. Get service c947d5e0-c832-4b98-9518-c28d5be261c6
  116. Update service c947d5e0-c832-4b98-9518-c28d5be261c6; spec: /tmp/svcspec_d18ux756
  117. Get service cc78a6fe-ee02-414a-a10a-5b9511810c0e
  118. Update service cc78a6fe-ee02-414a-a10a-5b9511810c0e; spec: /tmp/svcspec_nd5ehat0
  119. Get service daaffbbd-5fdb-4aaf-842a-94e4c6948920
  120. Update service daaffbbd-5fdb-4aaf-842a-94e4c6948920; spec: /tmp/svcspec__o82zeym
  121. Get service 206c94d5-8cc7-4646-a93e-389064c64bbe
  122. Update service 206c94d5-8cc7-4646-a93e-389064c64bbe; spec: /tmp/svcspec_oecjimvw
  123. Get service 6cc99f96-ee9a-406b-9018-2414b837c442_authz
  124. Update service 6cc99f96-ee9a-406b-9018-2414b837c442_authz; spec: /tmp/svcspec_du_d2yx4
  125. Get service 26edf5a0-b4e6-41b9-b972-e74c493dab27
  126. Update service 26edf5a0-b4e6-41b9-b972-e74c493dab27; spec: /tmp/svcspec_dc89lu60
  127. Get service 0d85950f-ca7d-4686-aa36-b627ce77fda9
  128. Update service 0d85950f-ca7d-4686-aa36-b627ce77fda9; spec: /tmp/svcspec_igw1rch3
  129. Get service 287c218f-a49f-41fd-b845-1962a1db7b2f
  130. Update service 287c218f-a49f-41fd-b845-1962a1db7b2f; spec: /tmp/svcspec_0fjjjag3
  131. Get service b6332254-0911-4bb1-8461-7e9d7ac18fb2
  132. Update service b6332254-0911-4bb1-8461-7e9d7ac18fb2; spec: /tmp/svcspec_0up89kup
  133. Get service 87899b67-58d6-4d1a-99a1-7a5a47fe8d79
  134. Update service 87899b67-58d6-4d1a-99a1-7a5a47fe8d79; spec: /tmp/svcspec_de6rp33r
  135. Get service 0fbed2c1-0e7e-4fd1-9eaa-78a6af02d788
  136. Update service 0fbed2c1-0e7e-4fd1-9eaa-78a6af02d788; spec: /tmp/svcspec_s5ew895r
  137. Get service 6cc99f96-ee9a-406b-9018-2414b837c442
  138. Update service 6cc99f96-ee9a-406b-9018-2414b837c442; spec: /tmp/svcspec_ue3hi4zt
  139. Get service 79ed9113-fa3f-4f5e-817a-7a11145880c7
  140. Update service 79ed9113-fa3f-4f5e-817a-7a11145880c7; spec: /tmp/svcspec_r0azsaib
  141. Get service 1829b7b8-e755-4db6-9665-439f3f2624d1
  142. Update service 1829b7b8-e755-4db6-9665-439f3f2624d1; spec: /tmp/svcspec_pfbbxyof
  143. Get service 1146b510-76ab-4e88-9a1e-5933b4d64f3e
  144. Update service 1146b510-76ab-4e88-9a1e-5933b4d64f3e; spec: /tmp/svcspec_rncl11rd
  145. Get service 31728e0d-6f78-4da8-93aa-98fb456d5672
  146. Update service 31728e0d-6f78-4da8-93aa-98fb456d5672; spec: /tmp/svcspec_7i1z6ff9
  147. Get service 196f8571-ac23-4a80-882f-aba9deb7989b
  148. Update service 196f8571-ac23-4a80-882f-aba9deb7989b; spec: /tmp/svcspec_jkmbsi93
  149. Get service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vcops
  150. Don't update service 1652cda7-3207-431e-9d82-031ceffb42b4_com.vmware.vcops
  151. Get service bc991693-97a8-4993-949d-d5eb461d4824
  152. Don't update service bc991693-97a8-4993-949d-d5eb461d4824
  153. Get service 1652cda7-3207-431e-9d82-031ceffb42b4
  154. Update service 1652cda7-3207-431e-9d82-031ceffb42b4; spec: /tmp/svcspec_xth2o90b
  155. Get service 659e024f-fa27-4d0a-bcb8-54634aea9679
  156. Update service 659e024f-fa27-4d0a-bcb8-54634aea9679; spec: /tmp/svcspec_5g731icv
  157. Get service b7c2a448-af0e-4d7e-a892-0d307bd9ee9d
  158. Update service b7c2a448-af0e-4d7e-a892-0d307bd9ee9d; spec: /tmp/svcspec_3e61aymd
  159. Updated 43 service(s)
  160. Status : 85% Completed [starting services...]                  
  162. Status : 100% Completed [All tasks completed successfully]
  163.                  
复制代码
2.3. 删除旧的证书

  1. # 查看一下现有的证书
  2. root@localhost [ ~ ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
  3. [*] Store : MACHINE_SSL_CERT
  4. Alias :        __MACHINE_CERT
  5.             Not After : May 11 08:44:26 2025 GMT
  6. [*] Store : TRUSTED_ROOTS
  7. Alias :        6f6ae78eb3a9abdbc7bf43797b765e62851a6af6
  8.             Not After : May 25 02:23:47 2031 GMT
  9. [*] Store : machine
  10. Alias :        machine
  11.             Not After : May 25 02:23:47 2031 GMT
  12. [*] Store : vsphere-webclient
  13. Alias :        vsphere-webclient
  14.             Not After : May 25 02:23:47 2031 GMT
  15. [*] Store : vpxd
  16. Alias :        vpxd
  17.             Not After : May 25 02:23:47 2031 GMT
  18. [*] Store : vpxd-extension
  19. Alias :        vpxd-extension
  20.             Not After : May 25 02:23:47 2031 GMT
  21. [*] Store : hvc
  22. Alias :        hvc
  23.             Not After : May 25 02:23:47 2031 GMT
  24. [*] Store : data-encipherment
  25. Alias :        data-encipherment
  26.             Not After : May 25 02:23:47 2031 GMT
  27. [*] Store : APPLMGMT_PASSWORD
  28. Alias :        location_password_default
  29. [*] Store : SMS
  30. Alias :        sms_self_signed
  31.             Not After : May 30 02:28:11 2031 GMT
  32. [*] Store : wcp
  33. Alias :        wcp
  34.             Not After : May 30 02:19:32 2023 GMT
  35. [*] Store : BACKUP_STORE
  36. Alias :        bkp___MACHINE_CERT
  37.             Not After : May 30 14:23:47 2023 GMT
  38. Alias :        bkp_machine
  39.             Not After : May 25 02:23:47 2031 GMT
  40. Alias :        bkp_vsphere-webclient
  41.             Not After : May 25 02:23:47 2031 GMT
  42. Alias :        bkp_vpxd
  43.             Not After : May 25 02:23:47 2031 GMT
  44. Alias :        bkp_vpxd-extension
  45.             Not After : May 25 02:23:47 2031 GMT
  46. Alias :        bkp_hvc
  47.             Not After : May 25 02:23:47 2031 GMT
  48. Alias :        bkp_wcp
  49.             Not After : May 30 02:19:32 2023 GMT
  50. Alias :        __MACHINE_CERT
  51.             Not After : May 11 08:21:25 2025 GMT
  53. # 删除证书
  54. root@localhost [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli store delete --name BACKUP_STORE -y
  55. Successfully deleted store [BACKUP_STORE]
  56. root@localhost [ ~ ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
  57. [*] Store : MACHINE_SSL_CERT
  58. Alias :        __MACHINE_CERT
  59.             Not After : May 11 08:44:26 2025 GMT
  60. [*] Store : TRUSTED_ROOTS
  61. Alias :        6f6ae78eb3a9abdbc7bf43797b765e62851a6af6
  62.             Not After : May 25 02:23:47 2031 GMT
  63. [*] Store : machine
  64. Alias :        machine
  65.             Not After : May 25 02:23:47 2031 GMT
  66. [*] Store : vsphere-webclient
  67. Alias :        vsphere-webclient
  68.             Not After : May 25 02:23:47 2031 GMT
  69. [*] Store : vpxd
  70. Alias :        vpxd
  71.             Not After : May 25 02:23:47 2031 GMT
  72. [*] Store : vpxd-extension
  73. Alias :        vpxd-extension
  74.             Not After : May 25 02:23:47 2031 GMT
  75. [*] Store : hvc
  76. Alias :        hvc
  77.             Not After : May 25 02:23:47 2031 GMT
  78. [*] Store : data-encipherment
  79. Alias :        data-encipherment
  80.             Not After : May 25 02:23:47 2031 GMT
  81. [*] Store : APPLMGMT_PASSWORD
  82. Alias :        location_password_default
  83. [*] Store : SMS
  84. Alias :        sms_self_signed
  85.             Not After : May 30 02:28:11 2031 GMT
  86. [*] Store : wcp
  87. Alias :        wcp
  88.             Not After : May 30 02:19:32 2023 GMT
复制代码
2.4. 再更新wcp证书

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-543BB100-515E-4FFF-8D88-7D73E4CB8248.html
  1. root@localhost [ /tmp ]# vim certool.cfg
  2. root@localhost [ /tmp ]# cat certool.cfg
  3. #
  4. # Template file for a CSR request
  5. #
  7. # Country is needed and has to be 2 characters
  8. Country = US
  9. Name        = CA
  10. Organization = VMware
  11. OrgUnit = VMware Engineering
  12. State = gd
  13. Locality = Palo Alto
  14. IPAddress = 127.0.0.1
  15. Email = email@acme.com
  16. Hostname = xx.xx.xx.xx
  18. root@localhost [ /tmp ]# /usr/lib/vmware-vmca/bin/certool --genkey --privkey=/tmp/wcp.priv --pubkey=/tmp/wcp.pub
  19. Status : Success
  21. root@localhost [ /tmp ]# /usr/lib/vmware-vmca/bin/certool --gencert --privkey=/tmp/wcp.priv --cert /tmp/wcp.crt --Name=wcp --config /tmp/certool.cfg
  22. Using config file : /tmp/certool.cfg
  23. Status : Success
  25. root@localhost [ /tmp ]# /usr/lib/vmware-vmafd/bin/dir-cli service list
  26. Enter password for administrator@vsphere.local:
  27. 1. machine-4b340ebe-d18a-427a-b130-d92673fd97fd
  28. 2. vsphere-webclient-4b340ebe-d18a-427a-b130-d92673fd97fd
  29. 3. vpxd-4b340ebe-d18a-427a-b130-d92673fd97fd
  30. 4. vpxd-extension-4b340ebe-d18a-427a-b130-d92673fd97fd
  31. 5. hvc-4b340ebe-d18a-427a-b130-d92673fd97fd
  32. 6. wcp-4b340ebe-d18a-427a-b130-d92673fd97fd
  34. # 停止服务
  35. root@localhost [ /var/log/vmware/vpxd ]# service-control --stop --all
  36. Operation not cancellable. Please wait for it to finish...
  37. Performing stop operation on service observability...
  38. Successfully stopped service observability
  39. Performing stop operation on service vmware-pod...
  40. Successfully stopped service vmware-pod
  41. Performing stop operation on service vmware-vdtc...
  42. Successfully stopped service vmware-vdtc
  43. Performing stop operation on profile: ALL...
  44. Successfully stopped service vmware-vmon
  45. Successfully stopped profile: ALL.
  46. Performing stop operation on service vmcad...
  47. Successfully stopped service vmcad
  48. Performing stop operation on service vmdird...
  49. Successfully stopped service vmdird
  50. Performing stop operation on service vmafdd...
  51. Successfully stopped service vmafdd
  52. Performing stop operation on service lwsmd...
  53. Successfully stopped service lwsmd
  55. # 再启动相关服务
  56. root@localhost [ /var/log/vmware/vpxd ]# service-control --start vmafdd
  57. Operation not cancellable. Please wait for it to finish...
  58. Performing start operation on service vmafdd...
  59. Successfully started service vmafdd
  60. root@localhost [ /var/log/vmware/vpxd ]# service-control --start vmdird
  61. Operation not cancellable. Please wait for it to finish...
  62. Performing start operation on service vmdird...
  63. Successfully started service vmdird
  64. root@localhost [ /var/log/vmware/vpxd ]# service-control --start vmcad
  65. Operation not cancellable. Please wait for it to finish...
  66. Performing start operation on service vmcad...
  67. Successfully started service vmcad
  69. # 更新证书
  70. root@localhost [ /tmp ]# /usr/lib/vmware-vmafd/bin/dir-cli service update --name wcp-4b340ebe-d18a-427a-b130-d92673fd97fd --cert /tmp/wcp.crt
  71. Enter password for administrator@vsphere.local:
  72. Service [wcp-4b340ebe-d18a-427a-b130-d92673fd97fd] updated successfully
  73. root@localhost [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store wcp --alias wcp
  74. Warning: This operation will delete entry [wcp] from store [wcp]
  75. Do you wish to continue? Y/N [N]
  76. y
  77. Deleted entry with alias [wcp] in store [wcp] successfully
  78. root@localhost [ /tmp ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store wcp --alias wcp --cert /tmp/wcp.crt --key /tmp/wcp.priv
  79. Entry with alias [wcp] in store [wcp] was created successfully
  81. # 启动服务
  82. root@localhost [ /tmp ]# service-control --start --all
  85. # 查看证书时间更新了
  86. root@localhost [ ~ ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
  87. [*] Store : MACHINE_SSL_CERT
  88. Alias :        __MACHINE_CERT
  89.             Not After : May 11 08:44:26 2025 GMT
  90. [*] Store : TRUSTED_ROOTS
  91. Alias :        6f6ae78eb3a9abdbc7bf43797b765e62851a6af6
  92.             Not After : May 25 02:23:47 2031 GMT
  93. [*] Store : machine
  95. Alias :        machine
  96.             Not After : May 25 02:23:47 2031 GMT
  97. [*] Store : vsphere-webclient
  98. Alias :        vsphere-webclient
  99.             Not After : May 25 02:23:47 2031 GMT
  100. [*] Store : vpxd
  101. Alias :        vpxd
  102.             Not After : May 25 02:23:47 2031 GMT
  103. [*] Store : vpxd-extension
  104. Alias :        vpxd-extension
  105.             Not After : May 25 02:23:47 2031 GMT
  106. [*] Store : hvc
  107. Alias :        hvc
  108.             Not After : May 25 02:23:47 2031 GMT
  109. [*] Store : data-encipherment
  110. Alias :        data-encipherment
  111.             Not After : May 25 02:23:47 2031 GMT
  112. [*] Store : APPLMGMT_PASSWORD
  113. Alias :        location_password_default
  114. [*] Store : SMS
  115. Alias :        sms_self_signed
  116.             Not After : May 30 02:28:11 2031 GMT
  117. [*] Store : wcp
  118. Alias :        wcp
  119.             Not After : May 11 08:50:55 2025 GMT
复制代码
3. 参考KB

https://kb.vmware.com/s/article/2112277
https://kb.vmware.com/s/article/2015600?lang=zh_CN
https://kb.vmware.com/s/article/2097936?lang=zh_cn
https://medium.com/@ITsolutions/vmware-vcenter-certificate-replacement-7d2e7fa3fb89
https://captainvops.com/2022/12/16/vcenter-8-machine-ssl-certificate-management/
https://vninja.net/2022/08/08/expired-vmware-vcenter-7-certificates/
4. 下令

  1. # 开启sftp
  2. chsh -s /bin/bash root
  4. 查看CA证书有多少
  5. /usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
  7. root@localhost [ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
  8. Enter password for administrator@vsphere.local:
  9. Number of certificates:        1
  10. #1:
  11. CN(id):                3AEF9845A3E59122EDCB50C946C7886AFBB3D211
  12. Subject DN:        CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=localhost, OU=VMware Engineering
  13. CRL present:        yes
  15. # 导出CA证书
  16. are-vmafd/bin/dir-cli trustedcert get --id A35412348D33EA5EB11E66EF901A1F8D99B0465 --outcert /tmp/vmca_root.cer
  18. # 查看证书情况
  19. for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
  21. root@localhost [ ~ ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;
  22. [*] Store : MACHINE_SSL_CERT
  23. Alias :        __MACHINE_CERT
  24.             Not After : May 11 08:44:26 2025 GMT
  25. [*] Store : TRUSTED_ROOTS
  26. Alias :        6f6ae78eb3a9abdbc7bf43797b765e62851a6af6
  27.             Not After : May 25 02:23:47 2031 GMT
复制代码
5. 报错

5.1. Error Failed to start vmon services.vmon-cli RC=1

When you go to read the “certificate-manager.log”, you see an entry like this:
Error Failed to start vmon services.vmon-cli RC=1
After a lot of searching on the internet, I sum up with this good article which helps me to solve my problem. The procedure is very simple, you just need to change the file permission of /etc/vmware/.buildInfo from 640 back to 444, SSH to your vCenter Server with root user and type following commands:
shell
chmod 444 /etc/vmware/.buildInfo
https://kb.vmware.com/s/article/2150057?lang=zh_CN
5.2. 脚本实行之后卡在85%

这里大概率大概是证书内里的FQDN和主机不匹配,又大概是主机剖析FQDN有题目。
https://blog.csdn.net/CrossProblems/article/details/135395563

免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有账号?立即注册

x
回复

使用道具 举报

0 个回复

倒序浏览
返回列表

快速回复

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 or 立即注册

本版积分规则

写过一篇

金牌会员
这个人很懒什么都没写!

楼主热帖

标签云

挺好的 服务器
微信订阅号
微信服务号
微信客服
小程序
H5
关于我们 商务合作 网站地图
©Copyright 2022-2024 杭州祥升科技有限公司 版权所有 浙ICP备20004199号
快速回复 返回顶部 返回列表