Has anyone managed to change the certs on the vCenter Server Appliance? When I enter the command from the VMware pdf, '/usr/sbin/vpxd_servicecfg certificate change rui.crt rui.key', I keep getting an error code of 659, which is 'ERROR_CERTIFICATE_MISTERY'. I've tried putting the CA root cert in /etc/certs/ssl, with a symlink for it at /etc/certs/ssl/hash.0. I've tried importing the root cert into the java keystore at /usr/java/jre-vmware/lib/security/cacert (password is changeit). I believe my cert is trusted, because I can run 'openssl verify rui.crt' and it comes back OK. I can't figure out for the life of me what the error code means.
1 person found this helpful
Alright, I figured it out. Had to concatenate the server cert and the root cert into rui.crt, then pass that and the server key to the vpxd_servicecfg command.
Assuming the certs are named server.crt and root.crt, and the server key is already rui.key, the steps below should work.
1. cat server.crt root.crt > rui.crt
2. /usr/sbin/vpxd_servicecfg certificate change rui.crt rui.key
Success message is: VC_CFG_RESULT=0
Now to get everything working behind a load balancer...
lorengordon's post about concatenating the CA certificate with the host certificate looks promising for resolving the issues related to the vCenter 5.1 Appliance.
Many others have made some good suggestions regarding installing the certificates on the various components for full-blown vCenter and the various components.
1 person found this helpful
I'm building a script to configure the VCSA and change out the certs. I'll post it once I've done a bit more testing...
Attached is a script that should change out the certificates on the VCSA. It also does a number of other things that you may or may not want. It is pretty heavily commented so you can always comment out sections if you want.
For example, I plan to use a Windows vCenter Server with the Inventory service installed locally, so this script disables those services in the VCSA. I've left the SSO and vSphere Web Client enabled, along with the log browser, netdumper, and syslog-collector.
There is a fair bit of error checking, but use at your own risk. Study the script and test it in a non-production environment.
#CHANGELOG - Version - 2012.10.08-01
Here's the features from the script header:
#FEATURES - this script will# 1. Accept the EULA# 2. Configure the fully-qualified hostname# 3. Join Active Directory (if desired)# 4. Enable the embedded vCenter SSO service# 5. Replace the self-signed SSL certs with those provided by a CA# 6. Re-configure the vSphere Web Client and SSO service to function behind a load-balancer# 7. Disable undesired embedded services (chkconfig <service> off): vcenter, inventory (for use with an external vCenter Server)# 8. Set the SSO master password and the admin password# 9. Add the AD domain as an SSO identity source#10. Set the root password
Let me know if you have any issues or suggestions.
vcsa-config.sh 22.5 K
Thanks a lot for your contribution with the shell script. Wish a similar one could be built in PowerShell for the Windows side but I suspect there are far more permutations to deal with.
I used the off the shelf appliance.
Works perfectly. All I had to do was to change following lines:LDAP_PROTO=ldap # ldaps or ldapLDAP_PORT=389 # 389 or 3268 for ldap, 636 or 3269 for ldapsDISABLE_ROOT_SSH=0 # 1 to disable ssh for root; 0 to leave it enabledDISABLE_UNDESIRED_SERVICES=0 # 1 to disable undesired service; 0 to leave them enabledI'm not sure if DISABLE_UNDESIRED_SERVICES=1 works, because I tried it and the vcenter server -service was not started after reboot.
here is how I created the certificates. (I use microsoft CA):
I used another linux machine to do this.
create new key:
openssl genrsa -out rui.key 2048
create new request:
openssl req -new -key rui.key -out rui.csr
request the certificate from CA (server.cer)
convert certificate :
openssl x509 -in server.cer -inform d -out rui.crt
Download CA certificate (root.cer)
convert root certificate :
openssl x509 -in root.cer -inform d -out root.crt
copy rui.crt, rui.key, root.crt and vcsa-config.sh to appliance.
in appliance run:
./vcsa-config.sh vserver.domain.local 'vCenterrootpassword' rui.crt,root.crt rui.key vserver.domain.local 'domainuserpassword' domainuser domain.local 'ssoserviceuserpassword' 'ssoadminpassword'
Cool, thanks for the feedback. The option DISABLE_UNDESIRED_SERVICES=1 will disable the embedded vCenter Server by design. It's intended for use with an external vCenter Server...
Thanks very much for the script, it has been very helpful! I'm not using it as-is, but rather picking up clues from it about how to do some things that I hadn't figured out myself yet... I have been trying to achieve something very similar (ie retain vCenter on Windows for now, but move various other components over to VCSA appliances - in particular the Web Client and SSO - and try to achieve HA for them if possible).
What are your thoughts on getting SSO on VCSA working behind a load-balancer? My understanding is that your script results in each VCSA being configured to use its local embedded DB for SSO, but presumably they would either need to point to the same DB, or use replication of some kind? It looks to me like the Windows HA SSO setup takes the former approach (ie I think both SSO instances still depend upon a single database, and if you wanted to achieve HA for the database you'd need to address that separately, although I've not explicitly tested what happens to a Windows HA SSO setup if the DB goes down...).
So I tried setting up a pair of VCSA appliances running nothing but the vmware-vpostgres database (in a master-slave arrangement, using replication), and pointing a pair of VCSA appliances running SSO at them (ie as an external postgres SSO DB). Unfortunately I was unable to get the DB replication to work (I was trying to use postgresql's built-in WAL streaming with the slave configured as a hot-standby), seemingly because the vpostgres install on VCSA is missing some libraries (specifically: libpqwalreceiver.so, but perhaps others too). I guess it makes sense that VMware probably stripped out any unnecessary components from the vPostgres product when bundling it with VCSA.
Next attempt could be a pair of general purpose VMs running vanilla postgresql (rather than VCSA with bundled vpostgres), but at that stage the setup starts to lose some of the benefits of using the VMware supplied appliances. So I'm wondering whether you've had any other thoughts on that side of things...
Very good questions re: HA for SSO. At the moment, the approach I'm investigating is using the scripts in the Windows version of vCenter to repoint the Inventory and vCenter services at each SSO, then reconfiguring the services to use the load-balanced lookup service alias. Or something along those lines.
KB2033620 has the steps, but the VMware scripts and guidance have some issues (assuming default install paths, poorly quoted variables, etc). And then after fixing those minor things, they break something else that I haven't figure out yet. I keep getting an error in the vSphere Web Client saying that it couldn't authenticate to the Inventory Service. I think there might be some lingering certificate issues. Still investigating. Hoping to have better news later today.
I opened a case with VMware to look into the error message. Re-registering the vCenter Server and Inventory Service with a new SSO breaks something, somehow. Still seems like the cleanest way to get HA for the SSO service, so I'll keep pursuing it.
If we can get it working, it means there isn't any need to reconfigure the SSO urls. So with the script as it is, just pass the VCSA hostname.fqdn for the 5th parameter, instaed of the load-balancer alias.
Tomorrow, I'm going to rebuild it all with the default SSL certificates to see if re-registering works at that point.
P.S. I updated the script today to fix the logbrowser service after updating the SSL certificates. You can dl it from the earlier post. Derek Seaman's blog had the answer to that. http://derek858.blogspot.com/2012/10/vmware-vcenter-51-installation-part-14.html
Did anyone try to install wildcard CA-signed SSL certificate to vCenter Virtual Appliance?
When I try to install I alway have error
I execute this command:
/usr/sbin/vpxd_servicecfg certificate change /root/ssl/rui.crt /root/ssl/rui.key
I tried 3 options:
rui.crt - only my CA-signed wildcard cert
rui.crt - wildcard cert + intermidiate cert + root CA cert. (cat server.crt intermidiate.crt ca.crt > rui.crt)
rui.crt - wildcard cert + root cert
Where I made a mistake?
The good news is much of this pain will be now waived with the announcement of vCenter Certificate Automation Tool 1.0. You can download the tool at: https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/5_1#drivers_tools
I have just posted a brief post about it at: How to replace vCenter 5.1, SSO, Web Client, vCO Certificates
vCenter Certificate Automation Tool 1.0 is worth your time if you are planning to replace certificates specially if you are using custom certificates.
Hope this help & Enjoy the new tool!
your response isn't helpful as this entire thread is talking about the vCSA (or vCVA) and the documentation of the vCenter Certificate Automation Tool specifically states that you cannot use it to replace the certs on the vCenter Appliance.