Hi,
a customer is gettng a altert that a certificate will expire soon.
During upgrade from 6.7 to 7.0 we renew all certificates and we executed the checksts.py script.
The STS has 2 certificates, the leaf expires in 2 years and the root in 8 years.
So we checked all certificate stores and identified this one: STS_INTERNAL_SSL_CERT
This certificate will expire in a few days.
Is this certificate still needed? Can i delete that certificate store? Because on a fresh installed VCSA 7.0 i havn't such a store.
Has someone here seen the same?
Kind regards
Stefan
https://kb.vmware.com/s/article/80469 Run through this and get output for python lsdoctor.py -l and if there is old 5.5 registrations ; then use python lsdoctor.py -s to fix old registrations .
Modify the below file :-
/usr/lib/vmware-sso/vmware-sts/conf/server.xml : Modify the 2 entries in the server.xml which has "STS_INTERNAL_SSL_CERT" to "MACHINE_SSL_CERT" .
And then delete the STS_INTERNAL_SSL_CERT store and restart services.
Follow https://virtual-power.in/f/21-stsd-crash-opening-store-stsinternalsslcert-failed
Yes it is from the legacy SSO (port 7444), I am guessing your vCenter was upgraded all the way from 5.5 - It does not serve any purposes in 7.0.
I would suggest you to just backup the cert and key just in case and delete the store with the cert. You can do all that by executing following
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/STS_INTERNAL.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/STS_INTERNAL.key
Finally delete the store using:
/usr/lib/vmware-vmafd/bin/vecs-cli store delete --name STS_INTERNAL_SSL_CERT
Hope that helps.
This sounds perfect, i expected something that kind, but wasn't shure if i can delete it.
Even the support can't. He want's to do some research...
We will test it next friday, i will write the result.
Thank you!
O.k. bad news, the store seems to be still in use, after deleting the store we made a reboot and the service vmware-stsd don't came up.
So i used this command to recreate the store:
/usr/lib/vmware-vmafd/bin/vecs-cli store create --name STS_INTERNAL_SSL_CERT
and then i followed this KB: https://kb.vmware.com/s/article/76144
usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert /var/tmp/machine_ssl.crt --key /var/tmp/machine_ssl.key
Now i have again a valid certificate, which do not expire in a few days, in the store and i was able to start the service.
I have collected a support bundle and send it to the support. This can't be correct...
That means there could be legacy sts endpoints exists in the service registrations that will need to be cleaned up so that the store is not being used.
What is the SR number ?
https://kb.vmware.com/s/article/80469 Run through this and get output for python lsdoctor.py -l and if there is old 5.5 registrations ; then use python lsdoctor.py -s to fix old registrations .
Modify the below file :-
/usr/lib/vmware-sso/vmware-sts/conf/server.xml : Modify the 2 entries in the server.xml which has "STS_INTERNAL_SSL_CERT" to "MACHINE_SSL_CERT" .
And then delete the STS_INTERNAL_SSL_CERT store and restart services.
Follow https://virtual-power.in/f/21-stsd-crash-opening-store-stsinternalsslcert-failed
This sounds promising, we will test and report. 😉
The SR: 21212630304
Today i had a phonecall with the support and he told me to use the fixsts script to repair this, doesn't help...
Kind regards
Stefan
Problem solved, we need only to modify the file /usr/lib/vmware-sso/vmware-sts/conf/server.xml and replace the 2 entries.
Thank you!