Remplacer les certificats vCenter auto signé

Hostname: vc70.ludo.local
IP: 192.168.1.20

🤒 vCenter ne fonctionne plus a cause du certificat expiré:

Utiliser le script fixsts
- Checking Expiration of STS Certificate on vCenter Servers
- "Signing certificate is not valid" error in VCSA 6.5.x,6.7.x or vCenter Server 7.0.x ,8.0.x.

🙂 vCenter fonctionne:

Verifier le certificat STS:
- En vue graphique
ou
- Avec le script checksts

Remplacer le certificat STS:
- Replace a vCenter Server STS Certificate Using the Command Line
ou
- "Signing certificate is not valid" error in VCSA 6.5.x,6.7.x or vCenter Server 7.0.x ,8.0.x.

root@vc70 [ ~ ]# cd ~
root@vc70 [ ~ ]# mkdir newsts
root@vc70 [ ~ ]# cd newsts
root@vc70 [ ~/newsts ]# pwd
/root/newsts
root@vc70 [ ~/newsts ]# cp /usr/lib/vmware-vmca/share/config/certool.cfg /root/newsts
root@vc70 [ ~/newsts ]# vi certool.cfg 

#
# Template file for a CSR request
#

# Country is needed and has to be 2 characters
Country = US
Name    = CA
Organization = VMware
OrgUnit = VMware Engineering
State = California
Locality = Palo Alto
IPAddress = 192.168.1.20
Email = Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.
Hostname = vc70.ludo.local

root@vc70 [ ~/newsts ]# less certool.cfg 
root@vc70 [ ~/newsts ]# /usr/lib/vmware-vmca/bin/certool --server localhost --genkey --privkey=/root/newsts/sts.key --pubkey=/root/newsts/sts.pub
Status : Success
root@vc70 [ ~/newsts ]# /usr/lib/vmware-vmca/bin/certool --gencert --cert=/root/newsts/newsts.cer --privkey=/root/newsts/sts.key --config=/root/newsts/certool.cfg
Using config file : /root/newsts/certool.cfg
Status : Success
root@vc70 [ ~/newsts ]# cat newsts.cer /var/lib/vmware/vmca/root.cer sts.key > newsts.pem
root@vc70 [ ~/newsts ]# /opt/vmware/bin/sso-config.sh -set_signing_cert -t vsphere.local /root/newsts/newsts.pem
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/usr/lib/vmware-sso/vmware-sts/webapps/ROOT/WEB-INF/lib/log4j-slf4j-impl-2.17.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/opt/vmware/lib64/log4j-slf4j-impl-2.17.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
root@vc70 [ ~/newsts ]# service-control --stop --all && service-control --start --all


Verifier quelle CA est sur les ESXi: (Subject Key Identifier)

root@vc70 [ ~ ]# openssl x509 -noout -text -in /etc/vmware/ssl/castore.pem |less

            X509v3 Subject Key Identifier: 
                8F:F2:D1:0D:6A:09:0D:ED:6F:25:85:01:2C:47:67:4E:55:10:C5:10
            X509v3 Subject Alternative Name: 
                IP Address:192.168.1.20
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0


Lister les stores:

root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli store list
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
vpxd
vpxd-extension
hvc
data-encipherment
APPLMGMT_PASSWORD
SMS
wcp
BACKUP_STORE


Verifier quelle CA est utilisé pour le Machine SSL, vpxd et web client:

root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSL_CERT --text |less
Alias : __MACHINE_CERT
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                email:Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser., IP Address:192.168.1.20, DNS:vc70.ludo.local
            X509v3 Subject Key Identifier: 
                4C:35:2D:EC:14:83:FD:6C:C7:AE:3B:4D:B2:BF:9B:82:1B:69:A0:E0
            X509v3 Authority Key Identifier: 
                keyid:8F:F2:D1:0D:6A:09:0D:ED:6F:25:85:01:2C:47:67:4E:55:10:C5:10
root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vpxd --text |less
Alias : vpxd
           X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                email:Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser., IP Address:192.168.1.20, DNS:vc70.ludo.local
            X509v3 Subject Key Identifier: 
                DC:AC:5B:36:82:59:4E:ED:A3:DA:57:84:F8:F9:52:55:15:9D:68:94
            X509v3 Authority Key Identifier: 
                keyid:8F:F2:D1:0D:6A:09:0D:ED:6F:25:85:01:2C:47:67:4E:55:10:C5:10
root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vsphere-webclient --text |less
Alias : vsphere-webclient
            X509v3 Key Usage: 
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name: 
                email:Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser., IP Address:192.168.1.20, DNS:vc70.ludo.local
            X509v3 Subject Key Identifier: 
                92:6C:02:A7:BD:1F:85:3C:37:E9:C7:7F:2C:33:FF:7C:96:CE:43:9F
            X509v3 Authority Key Identifier: 
                keyid:8F:F2:D1:0D:6A:09:0D:ED:6F:25:85:01:2C:47:67:4E:55:10:C5:10


Supprimé les CAs non utilisé ou expiré:

Removing Expired CA Certificates from the TRUSTED_ROOTS store in the VMware Endpoint Certificate Store(VECS)

root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | less

Alias : 3c4ece7bc5740c021431b54e94961f37f36e162b
X509v3 Subject Key Identifier:
8F:F2:D1:0D:6A:09:0D:ED:6F:25:85:01:2C:47:67:4E:55:10:C5:10

Alias : f02573967a532a951c8cb57de8e69a34df916b57
X509v3 Subject Key Identifier:
1F:88:31:CF:BA:9B:DA:5E:FC:88:7B:C3:B7:3C:0F:54:FF:AD:09:84
root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
Enter password for Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser.
Number of certificates:    2
#1:
CN(id):        1F8831CFBA9BDA5EFC887BC3B73C0F54FFAD0984
Subject DN:    CN=vc70.ludo.local, DC=vsphere, DC=local, C=US, ST=California, O=vc70.ludo.local, OU=VMware Engineering
CRL present:    yes
#2:
CN(id):        8FF2D10D6A090DED6F2585012C47674E5510C510
Subject DN:    CN=vc70.ludo.local, DC=vsphere, DC=local, C=US, ST=California, O=vc70.ludo.local, OU=VMware Engineering
CRL present:    yes
root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert get --id 1F8831CFBA9BDA5EFC887BC3B73C0F54FFAD0984 --login Cette adresse e-mail est protégée contre les robots spammeurs. Vous devez activer le JavaScript pour la visualiser. --password VMware123! --outcert /tmp/oldcert.cer
root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert unpublish --cert /tmp/oldcert.cer
root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/dir-cli trustedcert list
root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store TRUSTED_ROOTS --alias f02573967a532a951c8cb57de8e69a34df916b57
Warning: This operation will delete entry [f02573967a532a951c8cb57de8e69a34df916b57] from store [TRUSTED_ROOTS]
Do you wish to continue? Y/N [N] 
Y
Deleted entry with alias [f02573967a532a951c8cb57de8e69a34df916b57] in store [TRUSTED_ROOTS] successfully

root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store TRUSTED_ROOTS --text | grep Alias

root@vc70 [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli force-refresh

root@vc70 [ ~ ]# service-control --stop --all && service-control --start --all


Verifier les certificats:
"Signing certificate is not valid" error in VCSA 6.5.x,6.7.x or vCenter Server 7.0.x ,8.0.x.

root@vc70 [ ~ ]# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
STORE MACHINE_SSL_CERT
Alias : __MACHINE_CERT
            Not After : Sep 13 09:10:02 2025 GMT
STORE TRUSTED_ROOTS
Alias : 3c4ece7bc5740c021431b54e94961f37f36e162b
            Not After : Sep  8 09:20:01 2033 GMT
STORE TRUSTED_ROOT_CRLS
Alias : 6dd6dfaef1d4a7b9ef4b4e71fad47f274395e7ef
STORE machine
Alias : machine
            Not After : Sep 13 09:10:18 2025 GMT
STORE vsphere-webclient
Alias : vsphere-webclient
            Not After : Sep 13 09:10:19 2025 GMT
STORE vpxd
Alias : vpxd
            Not After : Sep 13 09:10:20 2025 GMT
STORE vpxd-extension
Alias : vpxd-extension
            Not After : Sep 13 09:10:20 2025 GMT
STORE hvc
Alias : hvc
            Not After : Sep 13 09:10:22 2025 GMT
STORE data-encipherment
Alias : data-encipherment
            Not After : Jun 21 13:00:32 2033 GMT
STORE APPLMGMT_PASSWORD
Alias : location_password_default
STORE SMS
Alias : sms_self_signed
            Not After : Apr 12 07:58:22 2033 GMT
Alias : https://esxi705.ludo.local:9080/version.xml
            Not After : Aug  6 07:36:14 2028 GMT
Alias : https://esxi701.ludo.local:9080/version.xml
            Not After : Apr 10 08:44:24 2028 GMT
Alias : https://esxi702.ludo.local:9080/version.xml
            Not After : Apr 10 08:45:03 2028 GMT
Alias : https://esxi703.ludo.local:9080/version.xml
            Not After : Apr 10 08:43:43 2028 GMT
Alias : https://esxi704.ludo.local:9080/version.xml
            Not After : Apr 10 09:03:27 2028 GMT
STORE wcp
Alias : wcp
            Not After : Sep 13 09:10:23 2025 GMT
STORE BACKUP_STORE
Alias : bkp___MACHINE_CERT
            Not After : Sep 12 13:59:02 2025 GMT
Alias : bkp_machine
            Not After : Sep 12 13:59:31 2025 GMT
Alias : bkp_vsphere-webclient
            Not After : Sep 12 13:59:32 2025 GMT
Alias : bkp_vpxd
            Not After : Sep 12 13:59:34 2025 GMT
Alias : bkp_vpxd-extension
            Not After : Sep 12 13:59:35 2025 GMT
Alias : bkp_hvc
            Not After : Sep 12 13:59:40 2025 GMT
Alias : bkp_wcp
            Not After : Sep 12 13:59:41 2025 GMT

 

Comments est propulsé par CComment