处理Vcenter 更新证书后NSX无法连接
登录 / 注册
侧边栏壁纸
博主昵称
Aux

  • 累计撰写 29 篇文章
  • 累计收到 0 条评论
虚拟化 其他

处理Vcenter 更新证书后NSX无法连接

owner
owner
2024-03-27 / 0 评论 / 258 阅读 / 正在检测是否收录...

处理Vcenter 更新证书后NSX无法连接

1. 背景

vcenter ssl证书即将过期,通过vcenter界面手动续期证书后NSX无法连接

2. 错误信息

2.1 NSX - Lookup Service URL 错误信息

NSX Management Service operation failed.( 管理注册服务提供程序初始化失败。 根本原因: com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain is not trusted and thumbprint verification is not configured )

nsx错误信息.png

2.2 VCenter - 主机准备未就绪

现象1: VCenter - 网络和安全 - 安装和升级 - 主机准备 位置的状态为未就绪

现象2: 弹出提示 ESX agent 未就绪

vcenter未就绪.png

3.解决方案

3.1 解决问题 2.1

登陆https://vcenter_IP_or_FQDN:5480/ 使用vcenter web账号密码登录

访问 - 编辑 - 启用ssh登陆 - 确定

开启ssh.png

ssh登录到Vcenter

###########################x.x.x.x改为vcenter IP###########################
MacBook-Pro ~ % ssh root@x.x.x.x

VMware vCenter Server Appliance 6.7.0.50000

Type: vCenter Server with an embedded Platform Services Controller
###########################填入密码###########################
root@x.x.x.x's password: 
Last login: Wed Mar 27 10:18:33 2024 from 192.168.89.1
Connected to service

    * List APIs: "help api list"
    * List Plugins: "help pi list"
    * Launch BASH: "shell"

###########################输入shell 然后回车###########################
Command> shell
Shell access is granted to root
root@xxx [ ~ ]#

将脚本  ls_ssltrust_fixer_p3.py(点击下载) 放置到 /usr/lib/vmidentity/tools/scripts/ 路径下

执行以下命令:

###########################扫描证书###########################
root@photon-machine [ ~ ]# python /usr/lib/vmidentity/tools/scripts/ls_ssltrust_fixer_p3.py -f scan
Running function 'scan'
Scan Phase1: Getting service IDs
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
Found 35 service IDs
Scan Phase2: Getting spec and verifying certicate/trust
Processing ID: b'2d10e347-d40c-4678-94ed-759afb90cba8'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'5f7e35c3-50ee-4fdc-aba2-95bc6a98099f'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'548ffa6c-233c-49a7-9e06-6f1baab494fe'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'c4160a88-fd51-4e9e-8ce6-837b65987130'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'e0d673d3-f28e-4cff-b8d4-9b8e8020d833'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'default-site:522421e2-cf6f-407f-8965-594832d21e28'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'0b57e806-0c8b-4354-a941-bdcf37652465'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'default-site:af4ac372-7fbd-470a-8e8e-f9de68c1d16b'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'68e23985-a7e0-4497-aa02-b1c98f0f7d7c'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'b9c01fb7-069e-4d5e-b728-5dfc574a7acb'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'31a92fe9-b350-4067-92b8-6f94f7416ab7'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'c9fc7aa6-55cf-464f-8537-4981344db54c'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'd1575df1-c6e2-449e-b615-153841dd98c9'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'68e23985-a7e0-4497-aa02-b1c98f0f7d7c_authz'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'bfd58f1c-9d6e-4f9a-985f-d784f7f4d357'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
skipping validation as external solution on:b'55171520-02b8-4ea2-9276-f1ecc4cb019a_com.vmware.vsphere.client'
Processing ID: b'24b3a39c-6a2c-41d5-b2d9-805f378d0b56'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'442a8577-e202-4457-b297-90827d6e8dce'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'6e98e977-6bde-4c58-bd96-0cfa170c5bab'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'4ecee96d-6e1f-4453-a351-628f9fcff978'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'72c282c0-7a8e-4472-94ba-43c00a0d7ae0'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'68e23985-a7e0-4497-aa02-b1c98f0f7d7c_kv'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'd2662e4c-7db8-40b2-a635-d563995d920c'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'd8183917-3b50-42c1-b4a0-0f4f03dfd654'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'33d42e30-65bf-4e7e-aa9f-2332d24e447c'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'default-site:9f8144ec-b405-40fd-8f1f-0aee6b3e6185'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'55171520-02b8-4ea2-9276-f1ecc4cb019a'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'6e901082-6a36-4239-86cc-463c7059f8d6'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'e304c0b9-01c2-424b-a5c2-2ffde66e76fa'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'654b4cdb-7405-4aea-b4ad-d6a279f5e6d7'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'6db23bca-9379-4a0c-84ea-09c255247849'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'450323ff-0d00-4b49-b09e-29ef2bdcd927'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'910bed68-59c8-487b-b8ab-967a13ddce48'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'cfe3b13a-fef3-4a58-b461-5212baccb8ca'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x
Processing ID: b'b78e3c49-b904-437f-af2f-5db2fad76c9f'
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
FQDN used to retrieve current certificate:x.x.x.x

***WARNING*** 4 Mismatched ID(s) found
Written mismatched IDs to /var/log/ls_ssltrust_fixer/mismatchIDs
List of registrations with cert mismatch
****************************************
ID: b'default-site:522421e2-cf6f-407f-8965-594832d21e28'
  spec: /var/log/ls_ssltrust_fixer/default-site%522421e2-cf6f-407f-8965-594832d21e28
  cert in use: /var/log/ls_ssltrust_fixer/default-site%522421e2-cf6f-407f-8965-594832d21e28.newcert

ID: b'default-site:af4ac372-7fbd-470a-8e8e-f9de68c1d16b'
  spec: /var/log/ls_ssltrust_fixer/default-site%af4ac372-7fbd-470a-8e8e-f9de68c1d16b
  cert in use: /var/log/ls_ssltrust_fixer/default-site%af4ac372-7fbd-470a-8e8e-f9de68c1d16b.newcert

ID: b'default-site:9f8144ec-b405-40fd-8f1f-0aee6b3e6185'
  spec: /var/log/ls_ssltrust_fixer/default-site%9f8144ec-b405-40fd-8f1f-0aee6b3e6185
  cert in use: /var/log/ls_ssltrust_fixer/default-site%9f8144ec-b405-40fd-8f1f-0aee6b3e6185.newcert

ID: b'cfe3b13a-fef3-4a58-b461-5212baccb8ca'
  spec: /var/log/ls_ssltrust_fixer/cfe3b13a-fef3-4a58-b461-5212baccb8ca
  cert in use: /var/log/ls_ssltrust_fixer/cfe3b13a-fef3-4a58-b461-5212baccb8ca.newcert

Please DOUBLE CHECK the detection before running 'fix'
NOTE: Partial upgrade state of 5.5 to 6.x is unsupported for this tool- 5.5 web client registration might change

Completed running function 'scan'
###########################修复命令###########################
root@photon-machine [ ~ ]# python /usr/lib/vmidentity/tools/scripts/ls_ssltrust_fixer_p3.py -f fix
Running function 'fix'
Fix phase 1: Reading IDs with incorrect certificate from scan results
Using mismatch ID list from: /var/log/ls_ssltrust_fixer/mismatchIDs
###########################WEB登录账号,默认回车###########################
SSO administrator user (Default:Administrator@vsphere.local):
###########################输入web登录密码###########################
Password for Administrator@vsphere.local:
Fix phase 2: Collecting site topology information
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
<class 'bytes'>
Fix Phase 3: creating new spec file with new ssltrust values and register

Fixing ID: default-site:522421e2-cf6f-407f-8965-594832d21e28
Updated 1 End points with new cert for ID: default-site:522421e2-cf6f-407f-8965-594832d21e28
Re-registering ID: default-site:522421e2-cf6f-407f-8965-594832d21e28 using lsURL: https://x.x.x.x/lookupservice/sdk
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
Fixing ID: default-site:522421e2-cf6f-407f-8965-594832d21e28 completed


Fixing ID: default-site:af4ac372-7fbd-470a-8e8e-f9de68c1d16b
Updated 1 End points with new cert for ID: default-site:af4ac372-7fbd-470a-8e8e-f9de68c1d16b
Re-registering ID: default-site:af4ac372-7fbd-470a-8e8e-f9de68c1d16b using lsURL: https://x.x.x.x/lookupservice/sdk
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
Fixing ID: default-site:af4ac372-7fbd-470a-8e8e-f9de68c1d16b completed


Fixing ID: default-site:9f8144ec-b405-40fd-8f1f-0aee6b3e6185
Updated 1 End points with new cert for ID: default-site:9f8144ec-b405-40fd-8f1f-0aee6b3e6185
Re-registering ID: default-site:9f8144ec-b405-40fd-8f1f-0aee6b3e6185 using lsURL: https://x.x.x.x/lookupservice/sdk
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
Fixing ID: default-site:9f8144ec-b405-40fd-8f1f-0aee6b3e6185 completed


Fixing ID: cfe3b13a-fef3-4a58-b461-5212baccb8ca
Updated 8 End points with new cert for ID: cfe3b13a-fef3-4a58-b461-5212baccb8ca
Re-registering ID: cfe3b13a-fef3-4a58-b461-5212baccb8ca using lsURL: https://x.x.x.x/lookupservice/sdk
Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
-Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
-Dorg.apache.xml.security.ignoreLineBreaks=true
Fixing ID: cfe3b13a-fef3-4a58-b461-5212baccb8ca completed

*** 11 endpoints for 4 service IDs updated with current cetificates and trust ***
Completed running function 'fix'
root@photon-machine [ ~ ]#

修复完成后去NSX管理界面执行 Lookup Service URL 成功完成

3.2 解决问题 2.2

ssh登录VCenter执行命令:

###########################x.x.x.x改为vcenter IP###########################
MacBook-Pro ~ % ssh root@x.x.x.x

VMware vCenter Server Appliance 6.7.0.50000

Type: vCenter Server with an embedded Platform Services Controller
###########################填入密码###########################
root@192.168.88.49's password:
Password: 

[ERROR]: Failed to connect to service.
Use service-control command to manage applmgmt service

    * List APIs: "help api list"
    * List Plugins: "help pi list"
    * Launch BASH: "shell"
###########################输入shell###########################
Command> shell
Shell access is granted to root
###########################创建一个目录###########################
root@photon-machine [ ~ ]# mkdir /certificate
###########################获取crt###########################
root@photon-machine [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt
###########################获取Key###########################
root@photon-machine [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key
###########################更新扩展证书###########################
###########################-s:vcenter IP -u:web登录用户###########################
root@photon-machine [ ~ ]# python /usr/lib/vmware-vpx/scripts/updateExtensionCertInVC.py -e com.vmware.vim.eam -c /certificate/vpxd-extension.crt -k /certificate/vpxd-extension.key -s x.x.x.x -u Administrator@vsphere.local
###########################输入web登录密码###########################
Password to connect to VC server for user="Administrator@vsphere.local":
2024-03-27T03:39:24.377Z  Updating certificate for "com.vmware.vim.eam" extension
2024-03-27T03:39:24.498Z  Successfully updated certificate for "com.vmware.vim.eam" extension
2024-03-27T03:39:24.517Z  Verified login to vCenter Server using certificate="/certificate/vpxd-extension.crt" is successful

更新完成后 VCenter 网页刷新下观察防火墙页面状态

vcenter正常.png

0
暂无标签
版权属于: owner
本文链接: https://auxos.cn/archives/53/
作品采用: 署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0) 》许可协议授权

评论 (0)

取消