VMware Cloud Community
MC1903
Enthusiast
Enthusiast

VCF 5.1.0 - "Bring-up with signed certs" - First host's certificate is regenerated

I am using the VMware Cloud Foundation Bringup With Signed Certs on ESXi Hosts https://core.vmware.com/resource/vmware-cloud-foundation-bringup-signed-certs-esxi-hosts in my VCF 5.1.0 lab deployment and I have noticed that the first ESXi host is getting it's certificate regenerated, when it should not be.

 

Background:

Prior to starting bring-up, I prep all the VCF hosts with a certificate that has been signed by my Enterprise CA, using my own certificate replacement script. This script takes a backup of the existing self-signed certificate files on each host, uploads the previously generated signed certificate & private key files and then restarts hostd & vpxa daemons. 

The signed certificates and private keys for all 4 of these hosts were generated on 07/12/2023 at 13:23

Finally, my bring-up .json file has the correctly formatted securitySpec section added with my Enterprise CA root & intermediate certificate chain.

 

First host's (vcf-m02-esxi-301) certificate files:

At 10:39:45 these were updated by my script; as it created the .bkp_202312321039 files before replacing the originals.

At 11:35:45 they were replaced with vCenter VMCA generated ones.

MC1903_0-1703161172046.png

 

Other host's (vcf-m02-esxi-302 in this example) certificate files:

Again, at 10:39:50 these were updated by my script as it replaced them with the previously generated ones from 07/12/2023 at 13:23

MC1903_1-1703161467075.png

 

Export of tasks/events from the new VCF vCenter Server:

Between 11:35:43 and 11:35:52 the first host (vcf-m02-esxi-301) is added into vCenter Server.

MC1903_4-1703161911063.png

 

VMCA Certificate from the first host:

Notice the 'Issued On' time is 11:35:45 - during the addHost task.

MC1903_5-1703163121465.png

 

Cloud Builder Bring-up Tasks:

Notice the Change certificate mode to custom in vCenter task finish time is 11:36:35, 

MC1903_3-1703161763918.png

 

TL;DR

The first host is added into the new vCenter Server 43 seconds before the vCenter Server's certificate management mode (vpxd.certmgmt.mode) is changed to 'custom', hence this is why it's certificate is regenerated.

The next host does not start to be added until 11:37:48, after the certificate mode change, and hence this one is NOT regenerated.

There is an issue with the task sequencing.

 

Help

I am not in a position to open an SR, as this is an unsupportable lab environment.

If anyone from the VCF team has time look into this it would be great.

I have used this process with VCF 4.5.0 and 5.0.0 in the lab and I have not noticed the same issue with these bring-up's. (it may of occurred; just never noticed it).

 

Thanks

M

 

 

 

 

 

 

 

Reply
0 Kudos
0 Replies