VMware Cloud Community
fipes
Contributor
Contributor
‎05-28-2019 11:46 PM

Change Machine Certificate VCSA

Good morning everyone!

I know there´re many threads with this topic but i couldnt find a answer for my question.

We´ve got a VCSA vCenter with 7 hosts.

I need to change the certificate from the VCSA (cause of an audit... if we connect to the vCenter there shouldnt be a waring because of the VM certificate)

If´ve read a lot of How-To´s and things like (VMware Knowledge Base) but there´s one question (or maybe 2 Smiley Happy)

If I replace the Machine certificate from the VCSA (Option 1 @ Certificate-manager) do I need to change the certificates for the ESXi Hosts too?

Maybe you guys could assist

kind regards from austria

Philipp

4 Replies
daphnissov
Immortal
Immortal
‎05-30-2019 07:56 AM

If your only goal is to remove the warning you get when you connect to vCenter, you don't need to replace the self-signed certificates with custom ones. You can simply download the VMCA root certificate and trust it in your browser. This will eliminate the warning.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
fipes
Contributor
Contributor
‎06-02-2019 10:25 PM

my goal is to import an company certificate into the vcenter so that every user who will log into the vcenter will trust the certificate.

0 Kudos
Raj1988
Enthusiast
Enthusiast
‎06-10-2019 07:11 AM

Then this KB should be perfect VMware Knowledge Base . Just replace the machine SSL .

Replacing vCenter 6.0’s SSL Certificate

You do not have to do anything to ESXi's if you need only the vCenter (webclient) to have trusted certificate.

If your company needs to access ESXi's directly over host client and want the certs to be trusted then follow VMware Knowledge Base and change the vpxd.certmgmt.mode to custom .

Change the Certificate Mode

Regards,

AJ

fipes
Contributor
Contributor
‎06-11-2019 02:12 AM

Ty for your response Achary,

I tried to change the certificates but it run into an error.

Stderr = Job for vmware-stsd.service failed because a timeout was exceeded. See "systemctl status vmware-stsd.service" and "journalctl -xe" for details.

2019-06-11T07:15:52.802Z   {

    "resolution": null,

    "detail": [

        {

            "args": [

                "Stderr: Job for vmware-stsd.service failed because a timeout was exceeded. See \"systemctl status vmware-stsd.service\" and \"journalctl -xe\" for details.\n"

            ],

            "id": "install.ciscommon.command.errinvoke",

            "localized": "An error occurred while invoking external command : 'Stderr: Job for vmware-stsd.service failed because a timeout was exceeded. See \"systemctl status vmware-stsd.service\" and \"journalctl -xe\" for details.\n'",

            "translatable": "An error occurred while invoking external command : '%(0)s'"

        }

    ],

    "componentKey": null,

    "problemId": null

}

Error executing start on service vmware-stsd. Details {

    "resolution": null,

    "detail": [

        {

            "args": [

                "vmware-stsd"

            ],

            "id": "install.ciscommon.service.failstart",

            "localized": "An error occurred while starting service 'vmware-stsd'",

            "translatable": "An error occurred while starting service '%(0)s'"

        }

    ],

    "componentKey": null,

    "problemId": null

}

Service-control failed. Error {

    "resolution": null,

    "detail": [

        {

            "args": [

                "vmware-stsd"

            ],

            "id": "install.ciscommon.service.failstart",

            "localized": "An error occurred while starting service 'vmware-stsd'",

            "translatable": "An error occurred while starting service '%(0)s'"

        }

    ],

    "componentKey": null,

    "problemId": null

ERROR certificate-manager {

    "resolution": null,

    "detail": [

        {

            "args": [

                "None"

            ],

            "id": "install.ciscommon.command.errinvoke",

            "localized": "An error occurred while invoking external command : 'None'",

            "translatable": "An error occurred while invoking external command : '%(0)s'"

        },

        "Error while starting services, please see log for more details"

    ],

    "componentKey": null,

    "problemId": null

}

2019-06-11T07:15:52.811Z INFO certificate-manager Performing rollback of Machine SSL Cert...

If I check "systemctl status vmware-stsd.service\" the Service was started successfully after some attempts.

vmware-stsd[1691]: ensure environment variables are set

vmware-stsd[1691]: Starting vmware-stsd.  Request for http://localhost:7080/afd failed after 1 seconds. Status: /usr/bin/curl status. Response: 000. Host: localhost has address 127.0.0.1.  Request for http://localhost:7080/afd failed after 1 seconds. Status: /usr/bin/curl status. Response: 000. Host: localhost has address 127.0.0.1  Increasing the timeout window to 2 seconds..  Request for http://localhost:7080/afd failed after 2 seconds. Status: /usr/bin/curl status. Response: 000. Host: localhost has address 127.0.0.1  Increasing the timeout window to 3 seconds..  Request for http://localhost:7080/afd failed after 3 seconds. Status: /usr/bin/curl status. Response: 000. Host: localhost has address 127.0.0.1  Increasing the timeout window to 4 seconds..  Request for http://localhost:7080/afd failed after 4 seconds. Status: /usr/bin/curl status. Response: 000. Host: localhost has address 127.0.0.1  Increasing the timeout window to 5 seconds.........done

systemd[1]: Started LSB: VMWare Security Token Service.

The Machine_SLL certificates where imported succesfully but with this error the old certificates are reverted.

I found some information about this error (also to simply stop this script and reboot the vCenter should work)

https://cstan.io/?p=8962&lang=en

But I´m a little scared about to break the vCenter.

Any ideas?

Things I´ll try:

https://communities.vmware.com/thread/573397

Kind regards

Philipp

0 Kudos