Hi,
I am unable to login after changing hostname and regenerating self signed SSL certificates. I am getting below error in logs
I used below blog to update hostname and as per my understanding it is correct way to update hostname.
When we ssh to the vcenter and check the logs, attached is one file (/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log)
[2019-06-06 14:13:16.189] [INFO ] http-bio-9443-exec-10 70000201 100006 ###### com.vmware.vise.security.DefaultAuthenticationProvider Authenticating user: root using authentication handler: com.vmware.vsphere.client.security.sso.SsoAuthenticationHandler@6f9dad3
[2019-06-06 14:13:16.254] [ERROR] http-bio-9443-exec-10 70000201 100006 ###### com.vmware.vise.vim.lookup.impl.LookupServiceImpl Error when creating lookup service com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate assertion not verified and thumbprint not matched
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:267)
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:230)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:339)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:123)
…
Caused by: javax.net.ssl.SSLException: hostname in certificate didn't match: <xxxxxxxxxxxxvca.xxxxx.xxxxxxxxx.net> != <"ssoserver> OR <ndc2cnz03mspvca>
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)
at org.apache.http.conn.ssl.StrictHostnameVerifier.verify(StrictHostnameVerifier.java:61)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:149)
at com.vmware.vim.vmomi.client.http.impl.ThumbprintTrustManager$HostnameVerifier.verify(ThumbprintTrustManager.java:253)
The hostname is not matching with the new name so service will not start..
You need to regenerate certificates and then validate if the certificate is generated successfully or not with new hostname.
From your description, you mentioned that you have tried regenerating self signed.. if that did not change the hostname in certificates with new one.. you need to try different ways
In an SSH session to the vSphere Center Server Appliance (VCSA), edit /etc/sysconfig/networking/devices/ifcfg-eth0 to ensure that the host has the correct name when network configuration occurs.
Insert this entry before the IP Address line:
HOSTNAME=hostname.fqdn
Where hostname.fqdn is the fully qualified VCSA hostname desired.
Save the file and exit the editor.
Use only one of these methods to change the VCSA hostname:
Run this command:
/opt/VMware/share/vami/vami_config_net.
Change the hostname from the VAMI page directly by navigating to VCSA_IP:5480 in a Web browser, where VCSA_IP is the IP address of the VCSA.
Verify the hostname has changed using this command:
cat /etc/hosts
To prevent generation of new certificates every reboot, navigate to the VAMI page, click the Admin Tab, and press the Toggle Certificate Setting Button to set 'Certificate Regeneration Enabled' to no.
Manually generate the vCenter server appliance certificates by using the below KB
https://kb.vmware.com/s/article/2070603 -> Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5
Thanks,
MS
The hostname is not matching with the new name so service will not start..
You need to regenerate certificates and then validate if the certificate is generated successfully or not with new hostname.
From your description, you mentioned that you have tried regenerating self signed.. if that did not change the hostname in certificates with new one.. you need to try different ways
In an SSH session to the vSphere Center Server Appliance (VCSA), edit /etc/sysconfig/networking/devices/ifcfg-eth0 to ensure that the host has the correct name when network configuration occurs.
Insert this entry before the IP Address line:
HOSTNAME=hostname.fqdn
Where hostname.fqdn is the fully qualified VCSA hostname desired.
Save the file and exit the editor.
Use only one of these methods to change the VCSA hostname:
Run this command:
/opt/VMware/share/vami/vami_config_net.
Change the hostname from the VAMI page directly by navigating to VCSA_IP:5480 in a Web browser, where VCSA_IP is the IP address of the VCSA.
Verify the hostname has changed using this command:
cat /etc/hosts
To prevent generation of new certificates every reboot, navigate to the VAMI page, click the Admin Tab, and press the Toggle Certificate Setting Button to set 'Certificate Regeneration Enabled' to no.
Manually generate the vCenter server appliance certificates by using the below KB
https://kb.vmware.com/s/article/2070603 -> Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5
Thanks,
MS
Manual Regeneration of Certificates solved the issue
https://kb.vmware.com/s/article/2070603 -> Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5