Issue:
SSL Cert expiration or recertification blocks vSphere VCSA 8.0 U2.
If the certificate is NOT expired:
If re-certification, run the Certificate Manager in the UI
vcsa.mindwatering.net/ui --> Menu (3 lines in corner) --> Administration --> Certificates (heading) --> Certificate Management
If the expiration was missed:
We have to fix via SSH, as the site HTST will block login.
1. $ ssh root@vcsa.mindwatering.net
<enter password>
2. Start command shell:
Command> shell
3. Run the command-line certificate-manager:
root@vcsa [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
...
4. Regenerate a new VMCA Root Certificate and |
| replace all certificates
...
Option[1 to 8]: _
Enter 4 and click <enter>
At the prompt:
Do you wish to generate all certificates using configuration file : Option[Y/N] ? :
Answer Y, and click <enter>
Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Click <enter> for default admin account.
Enter the password:
<enter password>
At the prompt, we want to keep it simple and just re-use the existing configuration information. To do so:
certool.cfg file exists, Do you wish to reconfigure : Option[Y/N]
Enter N, and click <enter>
At the final confirmation prompt, choose to continue:
You are going to regenerate Root Certificate and all other certificates using VMCA
Continue operation : Option[Y/N] ? :
Answer Y, and click <enter>
<wait>
WARNING:
After new certifications are created/imported, or expiration is fixed, the VPXD will be broken. The appliance VPXD needs to be fixed. This bug is an "expected behavior". VMware has article 94934 to remediate the behavior/bug.
Error Message: Pre-upgrade check result
Error:
Source vSphere ESX Agent Manager (EAM) upgrade failed to obtain EAM URLs to check against trusted certificates by the System!
Resolution:
Verify that the ESX Agent Manager extension is running properly on the source vCenter Server instance and https://VC_IP/eam/mob presents correct data. If log in to the MOB is not successful, try resolving the issue with kb.vmware.com/s/article/94934.
Fix the VPXD via:
1. Download fixcerts:
via.vmw.com/fixcerts
2. $ ssh root@vcsa.mindwatering.net
<enter password>
3. Start command shell:
Command> shell
4. Create empty file on the server, and copy and paste the content from the local file to the remote file:
(Alternately, we can SSH via FileZilla.)
root@vcsa [ ~ ]# pwd
/root
root@vcsa [ ~ ]# touch fixcerts.py
root@vcsa [ ~ ]# vi fixcerts.py
<copy and paste the contents of the downloaded file into this file on the server>
root@vcsa [ ~ ]# chmod 770 fixcerts.py
5. Run the file:
root@vcsa [ ~ ]# python fixcerts.py update --ExtensionType all
<wait>
...
Updated the Thumbprint of VPXD Extensions -> Total Execution Time ## 43 seconds ##
previous page
|