vcsa证书过期导致无法登录故障
1.ssh登录VCSA,查看证书状态
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;2.使用VCSA自带的证书管理工具更新
/usr/lib/vmware-vmca/bin/certificate-manager
root@vcsa02 [ /storage/archive/vpostgres ]# /usr/lib/vmware-vmca/bin/certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.7 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 8
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y
Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:
Please configure certool.cfg with proper values before proceeding to next step.
Press Enter key to skip optional parameters or use Default value.
Enter proper value for 'Country' [Default value : US] :
Enter proper value for 'Name' [Default value : CA] :
Enter proper value for 'Organization' [Default value : VMware] :
Enter proper value for 'OrgUnit' [Default value : VMware Engineering] :
Enter proper value for 'State' [Default value : California] :
Enter proper value for 'Locality' [Default value : Palo Alto] :
Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 10.12.0.125
Enter proper value for 'Email' [Default value : email@acme.com] :
Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vcsa02.idc.cqut.edu.cn
Enter proper value for VMCA 'Name' :vcsa02.idc.cqut.edu.cn
Continue operation : Option[Y/N] ? : y
You are going to reset by regenerating Root Certificate and replace all certificates using VMCA
Continue operation : Option[Y/N] ? : y
Get site nameCompleted [Reset Machine SSL Cert...]
default-site
Lookup all services
Get service default-site:e76540dd-1cdc-4912-bf78-ec258f919dc3
Update service default-site:e76540dd-1cdc-4912-bf78-ec258f919dc3; spec: /tmp/svcspec_9mt88_e7
Get service default-site:3baa7a85-f252-482d-89fe-7c2dbb67ed00
Update service default-site:3baa7a85-f252-482d-89fe-7c2dbb67ed00; spec: /tmp/svcspec_8hiw7lyr
Get service default-site:038cef07-710b-4fa2-91c2-cdfc2fc00b2a
Update service default-site:038cef07-710b-4fa2-91c2-cdfc2fc00b2a; spec: /tmp/svcspec_gzb5bvqn
Get service 803aefa6-35fa-4b21-ba3f-408024f00afa
Update service 803aefa6-35fa-4b21-ba3f-408024f00afa; spec: /tmp/svcspec_2o_n_6j0
Get service c4d43c0a-42b4-4103-82b8-4517ce9e4110
Update service c4d43c0a-42b4-4103-82b8-4517ce9e4110; spec: /tmp/svcspec_6rirdql7
Get service e4156f67-21ad-410f-a169-f74e05ad5880
Update service e4156f67-21ad-410f-a169-f74e05ad5880; spec: /tmp/svcspec_vlfg9l0f
Get service 3419c12d-064e-4c33-99b0-d1bff1187bde
Update service 3419c12d-064e-4c33-99b0-d1bff1187bde; spec: /tmp/svcspec_9aa9482c
Get service 89aea723-859e-456b-baf4-6e611f6b2243
Update service 89aea723-859e-456b-baf4-6e611f6b2243; spec: /tmp/svcspec_wofq9hpc
Get service 4824b57c-3659-4f88-ba38-f88fe92df825
Update service 4824b57c-3659-4f88-ba38-f88fe92df825; spec: /tmp/svcspec_lgz_jbpz
Get service 5513c447-8a0c-4eb7-b790-4799fb1bfa29
Update service 5513c447-8a0c-4eb7-b790-4799fb1bfa29; spec: /tmp/svcspec_d02m306g
Get service 8aea25bc-4248-46e4-9b94-dc8fed782599
Update service 8aea25bc-4248-46e4-9b94-dc8fed782599; spec: /tmp/svcspec_0ffv4nde
Get service 820510fa-1fbe-451a-9510-b75e3eeaf642
Update service 820510fa-1fbe-451a-9510-b75e3eeaf642; spec: /tmp/svcspec_hupi47a2
Get service db67415f-2414-42b3-b2db-1049a38baf49_com.vmware.vsphere.client
Don't update service db67415f-2414-42b3-b2db-1049a38baf49_com.vmware.vsphere.client
Get service 21b3da4a-3801-483f-9496-00bfa0e56323
Update service 21b3da4a-3801-483f-9496-00bfa0e56323; spec: /tmp/svcspec_8z5x_f4v
Get service 1903999d-f5e6-4015-8670-f48518065cda
Update service 1903999d-f5e6-4015-8670-f48518065cda; spec: /tmp/svcspec_013uocf1
Get service db67415f-2414-42b3-b2db-1049a38baf49
Update service db67415f-2414-42b3-b2db-1049a38baf49; spec: /tmp/svcspec_slmwb8xv
Get service 18b4bbad-da17-4e67-89c7-e698f8a65915
Update service 18b4bbad-da17-4e67-89c7-e698f8a65915; spec: /tmp/svcspec_vpqu97b2
Get service 80445137-a283-48ff-aeaf-99233840391f
Update service 80445137-a283-48ff-aeaf-99233840391f; spec: /tmp/svcspec__vtzli3q
Get service 68d50d9b-4c0c-450b-9330-1e78ce441b61
Update service 68d50d9b-4c0c-450b-9330-1e78ce441b61; spec: /tmp/svcspec_rksczx55
Get service 0ffca0be-9d2d-4172-a869-9f36d902ff18
Update service 0ffca0be-9d2d-4172-a869-9f36d902ff18; spec: /tmp/svcspec_7zsrtf5e
Get service e3e1e0a3-5b6f-4cc1-ae74-a310225faed3
Update service e3e1e0a3-5b6f-4cc1-ae74-a310225faed3; spec: /tmp/svcspec_y3s82wuw
Get service 946c52f0-5a93-4d2d-acb0-fb96ca581dbc
Update service 946c52f0-5a93-4d2d-acb0-fb96ca581dbc; spec: /tmp/svcspec_tz70hfas
Get service 4cd99b77-367d-4ccf-9094-5a187dfe57bc
Update service 4cd99b77-367d-4ccf-9094-5a187dfe57bc; spec: /tmp/svcspec_r0w53gjf
Get service 5513c447-8a0c-4eb7-b790-4799fb1bfa29_authz
Update service 5513c447-8a0c-4eb7-b790-4799fb1bfa29_authz; spec: /tmp/svcspec_rbuvoyqn
Get service fca85381-90d7-43d1-84c6-786476f6b87c
Update service fca85381-90d7-43d1-84c6-786476f6b87c; spec: /tmp/svcspec_tbooyzy_
Get service 20f271cd-24a8-47da-8de3-0cdc9b62ddba
Update service 20f271cd-24a8-47da-8de3-0cdc9b62ddba; spec: /tmp/svcspec_u1gsptgv
Get service 42a36c3a-c943-4f67-9a2c-a54f058db360
Update service 42a36c3a-c943-4f67-9a2c-a54f058db360; spec: /tmp/svcspec_dlkk4bb0
Get service 598a9f1a-e54a-4fba-9a09-52b0cfa9e786
Update service 598a9f1a-e54a-4fba-9a09-52b0cfa9e786; spec: /tmp/svcspec_1a2uxq0m
Get service 2968b170-74ab-4162-a920-bdcedbf83e8c
Update service 2968b170-74ab-4162-a920-bdcedbf83e8c; spec: /tmp/svcspec_6b6zkz9e
Get service 6466292c-f84f-4e13-b35d-bfc03ef7d836
Update service 6466292c-f84f-4e13-b35d-bfc03ef7d836; spec: /tmp/svcspec_k8fjrb7n
Get service 5513c447-8a0c-4eb7-b790-4799fb1bfa29_kv
Update service 5513c447-8a0c-4eb7-b790-4799fb1bfa29_kv; spec: /tmp/svcspec_gdz03nl7
Get service 550c554a-cc82-4884-afdd-d6bf5fba7920
Update service 550c554a-cc82-4884-afdd-d6bf5fba7920; spec: /tmp/svcspec_zl6o18u9
Get service c632f8f5-04ad-4213-a236-81e5f5d0e9b8
Update service c632f8f5-04ad-4213-a236-81e5f5d0e9b8; spec: /tmp/svcspec_m2an0qhi
Get service eb7d099a-3f05-4f2a-94c5-06153958aea9
Update service eb7d099a-3f05-4f2a-94c5-06153958aea9; spec: /tmp/svcspec_v97zzdrp
Get service eea9b7b5-0174-4541-bd13-871d57723e1e
Update service eea9b7b5-0174-4541-bd13-871d57723e1e; spec: /tmp/svcspec_0td0sw9k
Updated 34 service(s)
Status : 60% Completed [Reset vpxd-extension Cert...]
2024-08-05T16:06:34.146Z Updating certificate for "com.vmware.vim.eam" extension
2024-08-05T16:06:34.735Z Updating certificate for "com.vmware.rbd" extension
2024-08-05T16:06:35.302Z Updating certificate for "com.vmware.imagebuilder" extension
Reset status : 100% Completed [Reset completed successfully]3.这时应该可以正常登录VCSA了
