Raudi
Expert
Expert

Certificate alert after upgrade to VCSA 7.0

Jump to solution

Hi,

a customer is gettng a altert that a certificate will expire soon.

During upgrade from 6.7 to 7.0 we renew all certificates and we executed the checksts.py script.

The STS has 2 certificates, the leaf expires in 2 years and the root in 8 years.

So we checked all certificate stores and identified this one: STS_INTERNAL_SSL_CERT

This certificate will expire in a few days.

Is this certificate still needed? Can i delete that certificate store? Because on a fresh installed VCSA 7.0 i havn't such a store.

Has someone here seen the same?

Kind regards
Stefan

0 Kudos
1 Solution

Accepted Solutions
Ajay1988
VMware Employee
VMware Employee

https://kb.vmware.com/s/article/80469       Run through this and get output for   python lsdoctor.py -l and  if there is old 5.5 registrations ; then use   python lsdoctor.py -s to fix old registrations .

Modify the below file :-
/usr/lib/vmware-sso/vmware-sts/conf/server.xmlModify the 2 entries in the server.xml which has "STS_INTERNAL_SSL_CERT" to "MACHINE_SSL_CERT" .

And then delete the  STS_INTERNAL_SSL_CERT   store and restart services. 


Follow   https://virtual-power.in/f/21-stsd-crash-opening-store-stsinternalsslcert-failed

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

View solution in original post

8 Replies
Sanooj_aj
VMware Employee
VMware Employee

Yes it is from the legacy SSO (port 7444), I am guessing your vCenter was upgraded all the way from 5.5 - It does not serve any purposes in 7.0. 

I would suggest you to just backup the cert and key just in case and delete the store with the cert. You can do all that by executing following

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/STS_INTERNAL.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/STS_INTERNAL.key

Finally delete the store using:

/usr/lib/vmware-vmafd/bin/vecs-cli store delete --name STS_INTERNAL_SSL_CERT

 

Hope that helps.

Raudi
Expert
Expert

This sounds perfect, i expected something that kind, but wasn't shure if i can delete it.

Even the support can't. He want's to do some research...

We will test it next friday, i will write the result.

Thank you!

0 Kudos
Raudi
Expert
Expert

O.k. bad news, the store seems to be still in use, after deleting the store we made a reboot and the service vmware-stsd don't came up.

So i used this command to recreate the store:

/usr/lib/vmware-vmafd/bin/vecs-cli store create --name STS_INTERNAL_SSL_CERT

and then i followed this KB: https://kb.vmware.com/s/article/76144

usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert /var/tmp/machine_ssl.crt --key /var/tmp/machine_ssl.key

Now i have again a valid certificate, which do not expire in a few days, in the store and i was able to start the service.

I have collected a support bundle and send it to the support. This can't be correct...

0 Kudos
Sanooj_aj
VMware Employee
VMware Employee

That means there could be legacy sts endpoints exists in the service registrations that will need to be cleaned up so that the store is not being used. 

Ajay1988
VMware Employee
VMware Employee

What is the SR number ? 

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ
0 Kudos
Ajay1988
VMware Employee
VMware Employee

https://kb.vmware.com/s/article/80469       Run through this and get output for   python lsdoctor.py -l and  if there is old 5.5 registrations ; then use   python lsdoctor.py -s to fix old registrations .

Modify the below file :-
/usr/lib/vmware-sso/vmware-sts/conf/server.xmlModify the 2 entries in the server.xml which has "STS_INTERNAL_SSL_CERT" to "MACHINE_SSL_CERT" .

And then delete the  STS_INTERNAL_SSL_CERT   store and restart services. 


Follow   https://virtual-power.in/f/21-stsd-crash-opening-store-stsinternalsslcert-failed

If you think your queries have been answered
Mark this response as "Correct" or "Helpful".

Regards,
AJ

View solution in original post

Raudi
Expert
Expert

This sounds promising, we will test and report. 😉

The SR: 21212630304

Today i had a phonecall with the support and he told me to use the fixsts script to repair this, doesn't help...

Kind regards
Stefan

0 Kudos
Raudi
Expert
Expert

Problem solved, we need only to modify the file /usr/lib/vmware-sso/vmware-sts/conf/server.xml and replace the 2 entries.

Thank you!

0 Kudos