topic Certificate alert after upgrade to VCSA 7.0 in VMware vCenter™ Discussions

Certificate alert after upgrade to VCSA 7.0

Raudi — Tue, 13 Apr 2021 07:24:09 GMT

Hi,

a customer is gettng a altert that a certificate will expire soon.

During upgrade from 6.7 to 7.0 we renew all certificates and we executed the checksts.py script.

The STS has 2 certificates, the leaf expires in 2 years and the root in 8 years.

So we checked all certificate stores and identified this one: STS_INTERNAL_SSL_CERT

This certificate will expire in a few days.

Is this certificate still needed? Can i delete that certificate store? Because on a fresh installed VCSA 7.0 i havn't such a store.

Has someone here seen the same?

Kind regards
Stefan

Re: Certificate alert after upgrade to VCSA 7.0

Sanooj_aj — Wed, 14 Apr 2021 01:55:49 GMT

Yes it is from the legacy SSO (port 7444), I am guessing your vCenter was upgraded all the way from 5.5 - It does not serve any purposes in 7.0.

I would suggest you to just backup the cert and key just in case and delete the store with the cert. You can do all that by executing following

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/STS_INTERNAL.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/STS_INTERNAL.key

Finally delete the store using:

/usr/lib/vmware-vmafd/bin/vecs-cli store delete --name STS_INTERNAL_SSL_CERT

Hope that helps.

Re: Certificate alert after upgrade to VCSA 7.0

Raudi — Wed, 14 Apr 2021 15:45:52 GMT

This sounds perfect, i expected something that kind, but wasn't shure if i can delete it.

Even the support can't. He want's to do some research...

We will test it next friday, i will write the result.

Thank you!

Re: Certificate alert after upgrade to VCSA 7.0

Raudi — Fri, 16 Apr 2021 08:27:22 GMT

O.k. bad news, the store seems to be still in use, after deleting the store we made a reboot and the service vmware-stsd don't came up.

So i used this command to recreate the store:

/usr/lib/vmware-vmafd/bin/vecs-cli store create --name STS_INTERNAL_SSL_CERT

and then i followed this KB: https://kb.vmware.com/s/article/76144

usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert /var/tmp/machine_ssl.crt --key /var/tmp/machine_ssl.key

Now i have again a valid certificate, which do not expire in a few days, in the store and i was able to start the service.

I have collected a support bundle and send it to the support. This can't be correct...

Re: Certificate alert after upgrade to VCSA 7.0

Sanooj_aj — Fri, 16 Apr 2021 19:41:45 GMT

That means there could be legacy sts endpoints exists in the service registrations that will need to be cleaned up so that the store is not being used.

Re: Certificate alert after upgrade to VCSA 7.0

Ajay1988 — Tue, 20 Apr 2021 03:50:50 GMT

What is the SR number ?

Re: Certificate alert after upgrade to VCSA 7.0

Ajay1988 — Tue, 20 Apr 2021 13:49:56 GMT

https://kb.vmware.com/s/article/80469 Run through this and get output for python lsdoctor.py -l and if there is old 5.5 registrations ; then use python lsdoctor.py -s to fix old registrations .

Modify the below file :-
/usr/lib/vmware-sso/vmware-sts/conf/server.xml : Modify the 2 entries in the server.xml which has "STS_INTERNAL_SSL_CERT" to "MACHINE_SSL_CERT" .

And then delete the STS_INTERNAL_SSL_CERT store and restart services.

Follow https://virtual-power.in/f/21-stsd-crash-opening-store-stsinternalsslcert-failed

Re: Certificate alert after upgrade to VCSA 7.0

Raudi — Tue, 20 Apr 2021 16:02:41 GMT

This sounds promising, we will test and report.

The SR: 21212630304

Today i had a phonecall with the support and he told me to use the fixsts script to repair this, doesn't help...

Kind regards
Stefan

Re: Certificate alert after upgrade to VCSA 7.0

Raudi — Wed, 21 Apr 2021 08:38:25 GMT

Problem solved, we need only to modify the file /usr/lib/vmware-sso/vmware-sts/conf/server.xml and replace the 2 entries.

Thank you!