ettore.dreucci/ettore.dreucci.it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Corrected newline

Browse Source 
Signed-off-by: Ettore Dreucci <ettore.dreucci@gmail.com>
This commit is contained in:
Ettore Dreucci
2021-02-22 23:59:26 +01:00
parent d7fa207229
commit ab52e495fb
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
content/blog/vsphere-sts-cert-replace.md
View File

@@ -11,9 +11,13 @@ draft: false
## [[recipe]({{< ref "/categories/recipe" >}}), [sysadmin]({{< ref "/categories/sysadmin" >}})]: How to replace an expiring/expired vSphere 6.x/7.x STS cert ## [[recipe]({{< ref "/categories/recipe" >}}), [sysadmin]({{< ref "/categories/sysadmin" >}})]: How to replace an expiring/expired vSphere 6.x/7.x STS cert
New job, new problems: back from the weekend I booted my work laptop and started working on deploying a new VM on our internal small VMware ESXi cluster. New job, new problems: back from the weekend I booted my work laptop and started working on deploying a new VM on our internal small VMware ESXi cluster.
So I opened the vCenter web client, entered my credential and after a click on the `Submit` button I stared in disbelief at an error stating `User name and password are required`. So I opened the vCenter web client, entered my credential and after a click on the `Submit` button I stared in disbelief at an error stating `User name and password are required`.
I blinked and made sure that no, Im not still sleeping and Ive typed both the user and the password, even in the correct fields! I blinked and made sure that no, Im not still sleeping and Ive typed both the user and the password, even in the correct fields!
First guess, some weird stuff with browser cache or some old cookie still alive: reloaded the page, restarted the browser, cleared the cache but the problem remained. Nice way to start the week! First guess, some weird stuff with browser cache or some old cookie still alive: reloaded the page, restarted the browser, cleared the cache but the problem remained. Nice way to start the week!
After a bit of google-fu [a wild](https://kb.vmware.com/s/article/76719) VMware knowledge-base article appeared which describes the exact problem I was experiencing. Yay! Cause: the Security Token Service certificate has expired. An additional note stated that `when the STS certificate expires, it does so without warning`. Lovely! After a bit of google-fu [a wild](https://kb.vmware.com/s/article/76719) VMware knowledge-base article appeared which describes the exact problem I was experiencing. Yay! Cause: the Security Token Service certificate has expired. An additional note stated that `when the STS certificate expires, it does so without warning`. Lovely!
So without further ado heres some mitigating actions: So without further ado heres some mitigating actions:
@@ -42,11 +46,15 @@ So without further ado heres some mitigating actions:
### Check for other expired certificates ### Check for other expired certificates
1. Run the following one-liner and check for expired certs 1. Run the following one-liner and check for expired certs
`for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done` `for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done`
2. Run the vSphere Certificate Manager with `/usr/lib/vmware-vmca/bin/certificate-manager` as explained [here](https://kb.vmware.com/s/article/2097936) 2. Run the vSphere Certificate Manager with `/usr/lib/vmware-vmca/bin/certificate-manager` as explained [here](https://kb.vmware.com/s/article/2097936)
1. If only Machine SSL Cert is expired run option 3 1. If only Machine SSL Cert is expired run option 3
2. If any root cert is expired run option 8 2. If any root cert is expired run option 8
3. If any `vpxd`, `vpxd-extension`, `machine`, `vsphere-webclient` cert is expired run option 6 3. If any `vpxd`, `vpxd-extension`, `machine`, `vsphere-webclient` cert is expired run option 6
4. If the service restart still fails then use option 4 4. If the service restart still fails then use option 4
### End.
Now all the services should be up and running and the web client accepting your credentials! Now all the services should be up and running and the web client accepting your credentials!