ettore.dreucci/ettore.dreucci.it
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New post: How to replace an expiring/expired vSphere 6.x/7.x STS cert

Browse Source 
Signed-off-by: Ettore Dreucci <ettore.dreucci@gmail.com>
This commit is contained in:
Ettore Dreucci
2021-02-22 23:56:22 +01:00
parent 1100f83a4f
commit d7fa207229
1 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

52
content/blog/vsphere-sts-cert-replace.md Normal file
View File

@@ -0,0 +1,52 @@
---
title: "vSphere 6.x/7.x STS Certificate Replace"
tags: ["vsphere", "sts", "cert"]
categories: ["recipe", "sysadmin"]
description: "How to replace an expiring/expired vSphere 6.x/7.x STS cert"
date: 2021-02-22T23:06:08+01:00
author: "Ettore Dreucci"
draft: false
---
## [[recipe]({{< ref "/categories/recipe" >}}), [sysadmin]({{< ref "/categories/sysadmin" >}})]: How to replace an expiring/expired vSphere 6.x/7.x STS cert
New job, new problems: back from the weekend I booted my work laptop and started working on deploying a new VM on our internal small VMware ESXi cluster.
So I opened the vCenter web client, entered my credential and after a click on the `Submit` button I stared in disbelief at an error stating `User name and password are required`.
I blinked and made sure that no, Im not still sleeping and Ive typed both the user and the password, even in the correct fields!
First guess, some weird stuff with browser cache or some old cookie still alive: reloaded the page, restarted the browser, cleared the cache but the problem remained. Nice way to start the week!
After a bit of google-fu [a wild](https://kb.vmware.com/s/article/76719) VMware knowledge-base article appeared which describes the exact problem I was experiencing. Yay! Cause: the Security Token Service certificate has expired. An additional note stated that `when the STS certificate expires, it does so without warning`. Lovely!
So without further ado heres some mitigating actions:
### Check the expiration of the STS cert:
1. Download the Python script linked [here](https://kb.vmware.com/s/article/79248) on the VCSA and make it executable
2. Run it!
3. If the STS cert is shown as expired or is about to...
### Replace the STS cert with a new one:
1. Download the Python script linked [here](https://kb.vmware.com/s/article/76719) on the VCSA and make it executable
2. Run it!
3. Restart all services in SSO domain by:
```
service-control --stop --all
service-control --start --all
```
4. If the STS cert was already expired it is possible that other certs are expired as well thus the restart will fail (and youll start to sweat feeling the pressure of having destroyed a “perfectly functioning” system) so youll have to...
### Check for other expired certificates
1. Run the following one-liner and check for expired certs
`for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done`
2. Run the vSphere Certificate Manager with `/usr/lib/vmware-vmca/bin/certificate-manager` as explained [here](https://kb.vmware.com/s/article/2097936)
1. If only Machine SSL Cert is expired run option 3
2. If any root cert is expired run option 8
3. If any `vpxd`, `vpxd-extension`, `machine`, `vsphere-webclient` cert is expired run option 6
4. If the service restart still fails then use option 4
Now all the services should be up and running and the web client accepting your credentials!