直近で自宅のネットワーク構成を大幅に変更したため、ESXi や vCenter Server
の IP アドレス等も変更しました。
その際 vCenter Server のサービスが以下のように起動しませんでした。
root@vcsa [ /var/log/vmware/vapi/endpoint ]# service-control --start --all
Performing start operation on service lwsmd...
Successfully started service lwsmd
Performing start operation on service vmafdd...
Successfully started service vmafdd
Performing start operation on service vmdird...
Successfully started service vmdird
Performing start operation on service vmcad...
Successfully started service vmcad
Performing start operation on profile: ALL...
Successfully started service vmware-vmon
Service-control failed. Error: Failed to start services in profile ALL. RC=1, stderr=Failed to start vpxd, hvc, vapi-endpoint, vpxd-svcs services. Error: Operation timed out初めはネットワーク変更に伴って vCenter Server をいじりすぎたかと思いましたが、
ログを見ているとソリューションユーザー証明書の有効期限が切れていました。
(まさか、自分の環境で証明書の有効期限切れによるやらかしを行うとは、、、)
2024-10-27T10:04:14.852Z warning vpxd[29560] [Originator@6876 sub=Main opID=CheckCertificateExpiry-427c3c55] Certificate [Subject: OU=VMware Engineering,O=VMware,L=Palo Alto,ST=California,C=US,CN=ss017.home.com] from store MACHINE_SSL_CERT will expire on 2024-11-05 15:07:28.000
2024-10-27T10:04:14.948Z warning vpxd[29560] [Originator@6876 sub=Main opID=CheckCertificateExpiry-427c3c55] Certificate [Subject: OU=mID-4b5d3eb5-53a7-414c-9c54-5053971199fc,C=US,DC=local,DC=vsphere,CN=machine] from store machine will expire on 2024-08-26 03:26:58.000
2024-10-27T10:04:14.954Z warning vpxd[29560] [Originator@6876 sub=Main opID=CheckCertificateExpiry-427c3c55] Certificate [Subject: OU=mID-4b5d3eb5-53a7-414c-9c54-5053971199fc,C=US,DC=local,DC=vsphere,CN=vsphere-webclient] from store vsphere-webclient will expire on 2024-08-26 03:26:59.000
2024-10-27T10:04:14.981Z warning vpxd[29560] [Originator@6876 sub=Main opID=CheckCertificateExpiry-427c3c55] Certificate [Subject: OU=mID-4b5d3eb5-53a7-414c-9c54-5053971199fc,C=US,DC=local,DC=vsphere,CN=vpxd] from store vpxd will expire on 2024-08-26 03:26:59.000
2024-10-27T10:04:15.010Z warning vpxd[29560] [Originator@6876 sub=Main opID=CheckCertificateExpiry-427c3c55] Certificate [Subject: OU=mID-4b5d3eb5-53a7-414c-9c54-5053971199fc,C=US,DC=local,DC=vsphere,CN=vpxd-extension] from store vpxd-extension will expire on 2024-08-26 03:27:00.000
2024-10-27T10:04:15.025Z warning vpxd[29560] [Originator@6876 sub=Main opID=CheckCertificateExpiry-427c3c55] Certificate [Subject: OU=mID-4b5d3eb5-53a7-414c-9c54-5053971199fc,C=US,DC=local,DC=vsphere,CN=data-encipherment] from store data-encipherment will expire on 2024-08-26 03:29:13.000
ということで、Certificate Manager を使用した証明書の更新では無く、
以下 KB322249 の Fixcerts Script を使用した証明書の更新を行います。
How to Replace Expired Certificates on vCenter Server using Fixcerts Python Script
まずは、vCenter Server のオフラインスナップショットを取得します。
オフラインスナップショットを取得した後は、上記 KB から fixcerts_3_1.py
(3.1 の部分は今後更新される可能性あり) をダウンロードして SCP 等で vCenter Server
にアップロードするか KB に記載の手順にてスクリプトをコピー&ペーストします。
上記作業完了後、期限が切れた証明書のみを更新する –certType expired_only
オプションを使用して以下のように更新します。
root@vcsa [ /tmp ]# python fixcerts_3_1.py replace --certType expired_only --serviceRestart True
Please enter the password for administrator@vsphere.local to proceed further :
+--------------------+----------------------+
| CertificateType | Validity(UTC) |
+--------------------+----------------------+
| MACHINE_SSL_CERT | Nov 05 15:07:28 2024 |
| machine | Aug 26 03:26:58 2024 |
| vsphere-webclient | Aug 26 03:26:59 2024 |
| vpxd | Aug 26 03:26:59 2024 |
| vpxd-extension | Aug 26 03:27:00 2024 |
| data-encipherment | Aug 26 03:29:13 2024 |
| SMS | Aug 27 03:41:35 2032 |
| hvc | Aug 21 03:36:00 2032 |
| wcp | Aug 21 03:36:00 2032 |
| Signing Cert (STS) | Aug 21 03:36:00 2032 |
+--------------------+----------------------+
+------------------------------------------+----------------------+------+
| TRUSTED_ROOTS_Alias | Validity(UTC) | Type |
+------------------------------------------+----------------------+------+
| 494d720ab73e313b3fb1a7122d3cbc1b52c2719e | Aug 21 03:36:00 2032 | CA |
+------------------------------------------+----------------------+------+
This script will replace the certificates on vCenter Server, please read below important points :
1. Services needs to be restarted for certificate replacement, you may do it manually or let the script do it
2. Services on partner VCs in Linked Mode also needs to be restarted after replacing STS (Secure Token Signing) certificate, as VCs in ELM uses same STS Certificate
Note: Point 2 is Not Applicable for vCenter Server 8.0, as service restart is not required for STS Certificate Replacement on 8.0.
3. Please make sure you have taken OFFLINE SNAPSHOT of all the VCs in the Linked Mode before continuing with the Certificate replacement
Please read above points and enter YES to proceed further [[Yes/yes/YES/Y/y]] ? y
Reading Hostname Type & Deployment Type.
...Waiting for Status
......Success
Doing Pre-Check before starting the actual certificate replacement
...Waiting for Status
......Success
Following are the Certificate Fields based on existing Machine SSL Certificate :
Country : US
Organization : VMware
OrgUnit : VMware Engineering
State : California
Locality : Palo Alto
Do you want to proceed with the default values mentioned above ? please enter YES/NO [[Yes/yes/YES/Y/y] or [No/no/NO/N/n]] ? y
Replacing machine Solution User Certificate.
...Waiting for Status
......Success
Replacing vpxd Solution User Certificate.
...Waiting for Status
......Success
Replacing vpxd-extension Solution User Certificate.
...Waiting for Status
......Success
Updating Thumbprint of Extensions in VPXD.
...Waiting for Status
....Updating thumbprint of com.vmware.vim.eam
....Updating thumbprint of com.vmware.rbd
....Updating thumbprint of com.vmware.imagebuilder
......Success
Replacing vsphere-webclient Solution User Certificate.
...Waiting for Status
......Success
Replacing wcp Solution User Certificate.
...Waiting for Status
......Success
Replacing hvc Solution User Certificate.
...Waiting for Status
......Success
Replacing data-enciphement Certificate.
...Waiting for Status
......Success
Stopping All Services.
...Waiting for Status
......Success
Starting All Services.
...Waiting for Status
......Success
Validity of Certificates post replacement:
+--------------------+----------------------+
| CertificateType | Validity(UTC) |
+--------------------+----------------------+
| MACHINE_SSL_CERT | Nov 05 15:07:28 2024 |
| machine | Aug 21 03:36:00 2032 |
| vsphere-webclient | Aug 21 03:36:00 2032 |
| vpxd | Aug 21 03:36:00 2032 |
| vpxd-extension | Aug 21 03:36:00 2032 |
| data-encipherment | Aug 21 03:36:00 2032 |
| SMS | Aug 27 03:41:35 2032 |
| hvc | Aug 21 03:36:00 2032 |
| wcp | Aug 21 03:36:00 2032 |
| Signing Cert (STS) | Aug 21 03:36:00 2032 |
+--------------------+----------------------+
+------------------------------------------+----------------------+------+
| TRUSTED_ROOTS_Alias | Validity(UTC) | Type |
+------------------------------------------+----------------------+------+
| 494d720ab73e313b3fb1a7122d3cbc1b52c2719e | Aug 21 03:36:00 2032 | CA |
+------------------------------------------+----------------------+------+
Successfully Completed the Certificate Replacement -> Total Execution Time ## 539 seconds ##–validityDays オプションもありますが、ソリューションユーザー証明書はデフォルトで
最大 10 年の有効期限で更新してくれます。
※ルート証明書の有効期限までが最大
次にマシン SSL 証明書の有効期限も切れかけなので、更新します。
マシン SSL 証明書はデフォルトで 2年の有効期限で更新されるため、今回は –validityDays
オプションに 3650 の値を指定して更新します。
※–validityDays 3650 にしたとしてもルート証明書の有効期限まででしか更新されません。
root@vcsa [ /tmp ]# python fixcerts_3_1.py replace --certType machinessl --serviceRestart True --validityDays 3650
Please enter the password for administrator@vsphere.local to proceed further :
+--------------------+----------------------+
| CertificateType | Validity(UTC) |
+--------------------+----------------------+
| MACHINE_SSL_CERT | Nov 05 15:07:28 2024 |
| machine | Aug 21 03:36:00 2032 |
| vsphere-webclient | Aug 21 03:36:00 2032 |
| vpxd | Aug 21 03:36:00 2032 |
| vpxd-extension | Aug 21 03:36:00 2032 |
| data-encipherment | Aug 21 03:36:00 2032 |
| SMS | Aug 27 03:41:35 2032 |
| hvc | Aug 21 03:36:00 2032 |
| wcp | Aug 21 03:36:00 2032 |
| Signing Cert (STS) | Aug 21 03:36:00 2032 |
+--------------------+----------------------+
+------------------------------------------+----------------------+------+
| TRUSTED_ROOTS_Alias | Validity(UTC) | Type |
+------------------------------------------+----------------------+------+
| 494d720ab73e313b3fb1a7122d3cbc1b52c2719e | Aug 21 03:36:00 2032 | CA |
+------------------------------------------+----------------------+------+
This script will replace the certificates on vCenter Server, please read below important points :
1. Services needs to be restarted for certificate replacement, you may do it manually or let the script do it
2. Services on partner VCs in Linked Mode also needs to be restarted after replacing STS (Secure Token Signing) certificate, as VCs in ELM uses same STS Certificate
Note: Point 2 is Not Applicable for vCenter Server 8.0, as service restart is not required for STS Certificate Replacement on 8.0.
3. Please make sure you have taken OFFLINE SNAPSHOT of all the VCs in the Linked Mode before continuing with the Certificate replacement
Please read above points and enter YES to proceed further [[Yes/yes/YES/Y/y]] ? y
Reading Hostname Type & Deployment Type.
...Waiting for Status
......Success
Doing Pre-Check before starting the actual certificate replacement
...Waiting for Status
......Success
Following are the Certificate Fields based on existing Machine SSL Certificate :
Country : US
Organization : VMware
OrgUnit : VMware Engineering
State : California
Locality : Palo Alto
Do you want to proceed with the default values mentioned above ? please enter YES/NO [[Yes/yes/YES/Y/y] or [No/no/NO/N/n]] ? y
Replacing Machine SSL Cert.
...Waiting for Status
......Success
Updating SSL Trust of Services with new Machine SSL Certificate.
...Waiting for Status
......Success
Stopping All Services.
...Waiting for Status
......Success
Starting All Services.
...Waiting for Status
......Success
Validity of Certificates post replacement:
+--------------------+----------------------+
| CertificateType | Validity(UTC) |
+--------------------+----------------------+
| MACHINE_SSL_CERT | Aug 20 10:41:59 2032 |
| machine | Aug 21 03:36:00 2032 |
| vsphere-webclient | Aug 21 03:36:00 2032 |
| vpxd | Aug 21 03:36:00 2032 |
| vpxd-extension | Aug 21 03:36:00 2032 |
| data-encipherment | Aug 21 03:36:00 2032 |
| SMS | Aug 27 03:41:35 2032 |
| hvc | Aug 21 03:36:00 2032 |
| wcp | Aug 21 03:36:00 2032 |
| Signing Cert (STS) | Aug 21 03:36:00 2032 |
+--------------------+----------------------+
+------------------------------------------+----------------------+------+
| TRUSTED_ROOTS_Alias | Validity(UTC) | Type |
+------------------------------------------+----------------------+------+
| 494d720ab73e313b3fb1a7122d3cbc1b52c2719e | Aug 21 03:36:00 2032 | CA |
+------------------------------------------+----------------------+------+
Successfully Completed the Certificate Replacement -> Total Execution Time ## 678 seconds ##以上で証明書の更新作業は完了し、vSphere Client へ接続可能となりました。
証明書更新後、更新前の証明書が BACKUP_STORE に格納されます。
それにより、[証明書のステータス] アラームがトリガされるので当該アラームは
緑にリセットを行った後、以下 KB の手順で BACKUP_STORE 内の証明書を
クリーンアップします。
Certificate alarm – Clearing BACKUP_STORES certificates in the VCSA
最後に取得したスナップショットを削除して全ての作業が完了です。
