1. 故障现象
登录时一直提示用户名密码错误,但确认密码和用户名没有问题.之前1个月其实已经通过控制台重置过证书日期,并看到证书日期是2年后的了.于是怀疑是不是证书过期了.
当时急着排除故障就没有截图了.引用官网的2张图
2. 排除过程
2.1 确认故障原因
2.2.1 登录vcenter命令行
2.2.2 查看证书日期
果然,证书日期是今天凌晨过期的
root@pana-vc [ ~ ]# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list);do echo STORE $i;sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text|egrep "Alias|Not After"; doneSTORE MACHINE_SSL_CERT Alias : __MACHINE_CERT Not After : Sep 16 05:18:40 2024 GMT STORE TRUSTED_ROOTS Alias : 79f3d5a2a7ee50b15c6698c7c796b104ff2dc855 Not After : Oct 4 08:49:45 2028 GMT Alias : f7083e9abad114d69d3bb1eb0657bb0f904c4a59 Not After : Oct 15 04:35:10 2030 GMT STORE TRUSTED_ROOT_CRLS Alias : 8900883067e989a792fdd6aad2182d8ab965e7bc Alias : be6990d6d91b1ec33f0b1a1d16acc1e4bcb71a14 STORE machine Alias : machine Not After : Oct 15 04:35:10 2030 GMT STORE vsphere-webclient Alias : vsphere-webclient Not After : Oct 15 04:35:10 2030 GMT STORE vpxd Alias : vpxd Not After : Sep 16 05:19:07 2024 GMT STORE vpxd-extension Alias : vpxd-extension Not After : Oct 15 04:35:10 2030 GMT STORE SMS Alias : sms_self_signed Not After : Oct 10 08:54:35 2028 GMT STORE BACKUP_STORE Alias : bkp___MACHINE_CERT Not After : Oct 9 20:49:45 2020 GMT Alias : bkp_machine Not After : Oct 9 08:40:35 2020 GMT Alias : bkp_vsphere-webclient Not After : Oct 9 08:40:35 2020 GMT Alias : bkp_vpxd Not After : Oct 9 08:40:35 2020 GMT Alias : bkp_vpxd-extension Not After : Oct 9 08:40:36 2020 GMT Alias : bkp__MACHINE_CERT Not After : Oct 20 04:25:11 2022 GMT STORE BACKUP_STORE_H5C Alias : bkpmachine Not After : Oct 20 04:26:33 2022 GMT Alias : bkpvsphere-webclient Not After : Oct 20 04:26:33 2022 GMT Alias : bkpvpxd-extension Not After : Oct 20 04:26:34 2022 GMT Alias : bkpvpxd Not After : Oct 20 04:26:34 2022 GMT
2.2 故障排除
2.2.1 工具准备
我们需要准备2个软件,当时一直在正文里找这2个文件的下载链接.浪费了很多时间,其实在右测有下载地址.
实在找不到的朋友可以访问我的百度网盘
链接:https://pan.baidu.com/s/1PCOP_PQ6HXe-5hdRWG4LlA?pwd=MQiu
提取码:MQiu
2.2.1.1 checksts.py
https://kb.vmware.com/s/article/79248
2.2.1.2 fixsts.sh
https://kb.vmware.com/s/article/76719
2.2.1.3 工具上传
用winscp一直报错,官方好像也有KB说怎么解决.我看到winscp有报错就直接放弃使用其他服务进行上传
# scp checksts.py fixsts.sh 192.168.101.200:/root
2.2.2 检查证书日期
# cd /root# python checksts.py
# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list);do echo STORE $i;sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text|egrep "Alias|Not After"; done
至此确诊了证书过期
2.2.3 证书续订
# chmod +x fixsts.sh# ./fixsts.sh
注意!!!
这里需要输入一次Vcenter控制台登录密码,我第一次搞错了输入了vcenter的root密码,导致服务启动失败.
root@pana-vc [ ~ ]# ./fixsts.sh NOTE: This works on external and embedded PSCs This script will do the following1: Regenerate STS certificate What is needed?1: Offline snapshots of VCs/PSCs2: SSO Admin Password IMPORTANT: This script should only be run on a single PSC per SSO domain==================================Resetting STS certificate for pana-vc.pana.dc started on Fri Oct 21 01:08:07 UTC 2022Detected DN: cn=192.168.101.200,ou=Domain Controllers,dc=vsphere,dc=local Detected PNID: 192.168.101.200 Detected PSC: 192.168.101.200 Detected SSO domain name: vsphere.local Detected Machine ID: c3d30267-b3c9-4108-8580-54a6890b4133 Detected IP Address: 192.168.101.200 Domain CN: dc=vsphere,dc=local====================================================================Detected Root's certificate expiration date: 2030 Oct 15 Detected today's date: 2022 Oct 21==================================Exporting and generating STS certificate Status : Success Using config file : /tmp/vmware-fixsts/certool.cfg Status : Success Enter password for administrator@vsphere.local: Highest tenant credentials index : 1Exporting tenant 1 to /tmp/vmware-fixsts Deleting tenant 1Highest trusted cert chains index: 1Exporting trustedcertchain 1 to /tmp/vmware-fixsts Deleting trustedcertchain 1Applying newly generated STS certificate to SSO domain adding new entry "cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local"adding new entry "cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local"Replacement finished - Please restart services on all vCenters and PSCs in your SSO domain==================================IMPORTANT: In case you're using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure====================================================================
2.2.4 重启服务
2.2.4.1 停止所有服务
root@pana-vc [ ~ ]# service-control --stop --allPerform stop operation. vmon_profile=ALL, svc_names=None, include_coreossvcs=True, include_leafossvcs=True2022-10-21T00:51:44.164Z Service vmware-vmon does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings.2022-10-21T00:53:46.043Z Done running commandsbin/service', u'vmware-vmon', 'stop'] 2022-10-21T00:53:46.043Z Successfully stopped service vmware-vmon Successfully stopped vmon services. Profile ALL. 2022-10-21T00:53:46.054Z Service vmware-psc-client does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings. 2022-10-21T00:53:46.054Z Running command: ['/sbin/service', u'vmware-psc-client', 'status'] 2022-10-21T00:53:46.700Z Done running command Successfully stopped service vmware-psc-client 2022-10-21T00:53:48.889Z Service vmdnsd does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings. 2022-10-21T00:53:48.889Z Running command: ['/sbin/service', u'vmdnsd', 'status'] 2022-10-21T00:53:49.349Z Done running command Successfully stopped service vmdnsd 2022-10-21T00:53:49.506Z Service vmware-stsd does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings. 2022-10-21T00:53:49.507Z Running command: ['/sbin/service', u'vmware-stsd', 'status'] 2022-10-21T00:53:49.959Z Done running command Successfully stopped service vmware-stsd 2022-10-21T00:53:54.357Z Service vmware-sts-idmd does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings. 2022-10-21T00:53:54.357Z Running command: ['/sbin/service', u'vmware-sts-idmd', 'status'] 2022-10-21T00:53:54.636Z Done running command Successfully stopped service vmware-sts-idmd 2022-10-21T00:53:55.722Z Service vmcad does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings. 2022-10-21T00:53:55.722Z Running command: ['/sbin/service', u'vmcad', 'status'] 2022-10-21T00:53:56.223Z Done running command Successfully stopped service vmcad 2022-10-21T00:53:56.333Z Service vmdird does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings. 2022-10-21T00:53:56.333Z Running command: ['/sbin/service', u'vmdird', 'status'] 2022-10-21T00:53:56.696Z Done running command Successfully stopped service vmdird 2022-10-21T00:53:56.808Z Service vmafdd does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings. 2022-10-21T00:53:56.808Z Running command: ['/sbin/service', u'vmafdd', 'status'] 2022-10-21T00:53:57.406Z Done running command Successfully stopped service vmafdd 2022-10-21T00:53:57.603Z Service lwsmd does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings. 2022-10-21T00:53:57.603Z Running command: ['/sbin/service', u'lwsmd', 'status']2022-10-21T00:53:58.235Z Done running commandSuccessfully stopped service lwsmd
2.2.4.2 启动所有服务
root@pana-vc [ ~ ]# service-control --start --allPerform start operation. vmon_profile=ALL, svc_names=None, include_coreossvcs=True, include_leafossvcs=True2022-10-21T01:08:47.990Z Running command: ['/usr/bin/systemctl', 'is-enabled', u'lwsmd']2022-10-21T01:08:47.995Z Done running command2022-10-21T01:08:47.999Z Service lwsmd does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings.2022-10-21T01:08:47.999Z Running command: ['/sbin/service', u'lwsmd', 'status']2022-10-21T01:08:48.041Z Done running commandSuccessfully started service lwsmd2022-10-21T01:08:48.050Z Running command: ['/usr/bin/systemctl', 'is-enabled', u'vmafdd']2022-10-21T01:08:48.062Z Done running command2022-10-21T01:08:48.067Z Service vmafdd does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings.2022-10-21T01:08:48.067Z Running command: ['/sbin/service', u'vmafdd', 'status']2022-10-21T01:08:48.104Z Done running commandSuccessfully started service vmafdd2022-10-21T01:08:48.108Z Running command: ['/usr/bin/systemctl', 'is-enabled', u'vmdird']2022-10-21T01:08:48.119Z Done running command2022-10-21T01:08:48.123Z Service vmdird does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings.2022-10-21T01:08:48.123Z Running command: ['/sbin/service', u'vmdird', 'status']2022-10-21T01:08:48.162Z Done running commandSuccessfully started service vmdird2022-10-21T01:08:48.168Z Running command: ['/usr/bin/systemctl', 'is-enabled', u'vmcad']2022-10-21T01:08:48.180Z Done running command2022-10-21T01:08:48.188Z Service vmcad does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings.2022-10-21T01:08:48.188Z Running command: ['/sbin/service', u'vmcad', 'status']2022-10-21T01:08:48.229Z Done running commandSuccessfully started service vmcad2022-10-21T01:08:48.236Z Running command: ['/usr/bin/systemctl', 'is-enabled', u'vmware-sts-idmd']2022-10-21T01:08:48.247Z Done running command2022-10-21T01:08:48.251Z Service vmware-sts-idmd does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings.2022-10-21T01:08:48.251Z Running command: ['/sbin/service', u'vmware-sts-idmd', 'status']2022-10-21T01:08:48.287Z Done running commandSuccessfully started service vmware-sts-idmd2022-10-21T01:08:48.291Z Running command: ['/usr/bin/systemctl', 'is-enabled', u'vmware-stsd']2022-10-21T01:08:48.304Z Done running command2022-10-21T01:08:48.308Z Service vmware-stsd does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings.2022-10-21T01:08:48.308Z Running command: ['/sbin/service', u'vmware-stsd', 'status']2022-10-21T01:08:48.344Z Done running commandSuccessfully started service vmware-stsd2022-10-21T01:08:48.348Z Running command: ['/usr/bin/systemctl', 'is-enabled', u'vmdnsd']2022-10-21T01:08:48.354Z Done running command2022-10-21T01:08:48.357Z Service vmdnsd does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings.2022-10-21T01:08:48.357Z Running command: ['/sbin/service', u'vmdnsd', 'status']2022-10-21T01:08:48.390Z Done running commandSuccessfully started service vmdnsd2022-10-21T01:08:48.398Z Running command: ['/usr/bin/systemctl', 'is-enabled', u'vmware-psc-client']2022-10-21T01:08:48.409Z Done running command2022-10-21T01:08:48.412Z Service vmware-psc-client does not seem to be registered with vMon. If this is unexpected please make sure your service config is a valid json. Also check vmon logs for warnings.2022-10-21T01:08:48.412Z Running command: ['/sbin/service', u'vmware-psc-client', 'status']2022-10-21T01:08:48.453Z Done running commandSuccessfully started service vmware-psc-client Successfully started vmon services. Profile ALL.
之前由于密码错误启动时有这样的报错,看到这个报错,一般都是前面fixsts的时候密码搞错了,再次确认下是控制台的密码,不是ssh的root密码
root@pana-vc [ ~ ]# service-control --start --all略 Service-control failed. Error Failed to start vmon services.vmon-cli RC=1, stderr=Failed to start vapi-endpoint, vpxd-svcs, cm services. Error: Operation timed out
3. 故障解决
此时EXPIRED的证书已经没有了.可以看到
root@pana-vc [ ~ ]# python checksts.py 2 VALID CERTS================ LEAF CERTS: [] Certificate 33:87:6B:66:90:ED:24:90:23:66:54:B3:65:EF:8F:68:C5:6F:5C:64 will expire in 730 days (2.0 years). ROOT CERTS: [] Certificate F7:08:3E:9A:BA:D1:14:D6:9D:3B:B1:EB:06:57:BB:0F:90:4C:4A:59 will expire in 2916 days (7.0 years).0 EXPIRED CERTS================ LEAF CERTS: None ROOT CERTS: None
此时Vcenter已经可以正常登陆.到Vcenter配置中可以看到STS证书日期已经变成2年后.
至此Vcenter证书更新全部完成.
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/8700.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
打赏
微信支付宝扫一扫,打赏作者吧~
微信支付宝扫一扫,打赏作者吧~休息一下~~
官码2024000195号
萌ICP备20248119号
