VxRail:vCenter 上的证书更新后无法启动 vmware-vpxd 服务
摘要: VxRail:在 vCenter 上重置或更新证书后,无法在 vCenter 上启动 vmware-vpxd 服务。 使用 vCenter 证书管理器重置所有 SSL 证书后,无法启动 vCenter 关键服务。
症状
使用 vCenter Certificate Manager 重置所有 SSL 证书后,vCenter 关键服务无法启动。
更新 vCenter 证书并检查正在运行的服务后, vmware-vpxd以及 vmware-content-library 未运行。
root@vcenter [ ~ ]# service-control --status --all StartPending: vmware-vapi-endpoint vmware-vpxd-svcs Running: applmgmt lwsmd vmafdd vmware-analytics vmware-cm vmware-eam vmware-postgres-archiver vmware-rhttpproxy vmware-statsmonitor vmware-vmon vmware-vpostgres vsphere-client vsphere-ui Stopped: vmcam vmonapi vmware-certificatemanagement vmware-content-library vmware-imagebuilder vmware-mbcs vmware-netdumper vmware-perfcharts vmware-pod vmware-rbd-watchdog vmware-sca vmware-sps vmware-topologysvc vmware-updatemgr vmware-vcha vmware-vpxd vmware-vsan-health vmware-vsm vsan-dps
尝试启动 vmware-vpxd 服务时,您会收到类似于以下内容的错误:
root@vcenter [ ~ ]# service-control --start vmware-vpxd
Operation not cancellable. Please wait for it to finish...
Performing start operation on service vpxd...
Error executing start on service vpxd. Details {
"componentKey": null,
"detail": [
{
"id": "install.ciscommon.service.failstart",
"translatable": "An error occurred while starting service '%(0)s'",
"args": [
"vpxd"
],
"localized": "An error occurred while starting service 'vpxd'"
}
],
"resolution": null,
"problemId": null
}
Service-control failed. Error: {
"componentKey": null,
"detail": [
{
"id": "install.ciscommon.service.failstart",
"translatable": "An error occurred while starting service '%(0)s'",
"args": [
"vpxd"
],
"localized": "An error occurred while starting service 'vpxd'"
}
],
"resolution": null,
"problemId": null
}
/var/log/vmware/vmon/vmon-syslog.log 中的 vCenter:
2021-11-08T09:39:38.271729+00:00 warning vmon ssl.CertificateError: hostname 'psc.xxxx.eg' doesn't match 'psc.xxx.xxx.eg' 2021-11-08T09:40:24.574482+00:00 notice vmon <rhttpproxy-healthcmd> Constructed command: /usr/bin/python /usr/lib/vmware-rhttpproxy/rhttpproxy-vmon-apihealth.py 2021-11-08T09:40:24.574698+00:00 notice vmon <vapi-endpoint> Skip service health check. State STOPPED, Curr request 0 2021-11-08T09:40:24.574854+00:00 notice vmon <vcha> Skip service health check. State STOPPED, Curr request 0 2021-11-08T09:40:24.574997+00:00 notice vmon <vmware-vpostgres-healthcmd> Constructed command: /usr/bin/python /usr/lib/vmware-vmon/vmonApiHealthCmd.py -n vmware-vpostgres -f /dev/shm/vmware-postgres-health-status.xml 2021-11-08T09:40:24.816621+00:00 notice vmon <vpxd-svcs> Skip service health check. State STOPPED, Curr request 0
/storage/log/vmware/vpxd-svcs/vpxd-svcs.log 中的 vCenter:
2021-11-08T07:37:03.716Z [Thread-9 WARN com.vmware.cis.server.util.impl.InitPoolTask opId=] Init pool encountered exception: com.vmware.cis.server.util.exception.VpxdClientException at attempt 19 2021-11-08T07:37:23.725Z [Thread-9 INFO com.vmware.vim.sso.client.impl.SiteAffinityServiceDiscovery opId=] Site affinity is disabled 2021-11-08T07:37:23.750Z [Thread-9 ERROR com.vmware.vim.sso.client.impl.SoapBindingImpl opId=] Error communicating to the remote server https://urldefense.com/v3/__https://psc.xxx.eg/sts/STSService/vsphere.local__;!!LpKI!zizBGmTnALcYXLnWIITladCn-NgryRjl_R2ufCq4LGkURpqvXMuRNpET1ze8_DkPVm9P9UE4Cw$ [psc[.]xxx[.]gov[.]eg] com.sun.xml.internal.ws.client.ClientTransportException: HTTP transport error: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative DNS name matching psc.xxx.eg found.
原因
如果存在 DNS 问题,则在升级 vCenter 证书时会出现此问题。在 DNS 服务器上配置了 PSC (Platform Service Controller) 的相同 IP 的两个记录。
解决方案
1.检查是否存在 DNS 记录不匹配和 DNS 连接。
2.确保每个虚拟机 IP(vCenter、PSC 和 VXM)在域中都具有匹配的单个 FQDN。
3.如果同一 IP 存在任何重复的 NS 记录,则应删除不必要的 NS 记录。
注意:要检查每个基于 Redhat 的 Linux 虚拟机上的 DNS 服务器配置,请参阅 /etc/resolv.conf 。
4.通过在 vCenter 虚拟机命令行界面上运行以下命令行,确保 vCenter 证书未过期:
root@vcenter [ ~ ]# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
命令输出应类似于以下内容:
STORE MACHINE_SSL_CERT Alias : __MACHINE_CERT Not After : Oct 29 12:42:18 2031 GMT STORE TRUSTED_ROOTS Alias : 50932a13985d9c33aa386868f12ba0da57f5eaff Not After : Oct 21 21:28:25 2029 GMT Alias : 32c621e354a974e2b0c31abe17fdf4beedba113d Not After : Oct 29 11:29:49 2031 GMT Alias : 342b168f6ab63a8facde75e187f8ab0a22a857e7 Not After : Oct 29 12:42:18 2031 GMT Alias : f5e20d029d8d7e3cda69079fcddc0cb5aa4d00b3 Not After : Nov 3 10:41:37 2031 GMT STORE TRUSTED_ROOT_CRLS Alias : c4268b466f6dcefaff95ea32c85d9498819a9d9c Alias : fda5f1c260738901752aaa0bcea5758d82e42ee6 Alias : e843a42ee0a5903a099c21cabf2d8b14747adf1e Alias : f3721159c59455451478b401f80d23f996f40322 STORE machine Alias : machine Not After : Oct 29 12:42:18 2031 GMT STORE vsphere-webclient Alias : vsphere-webclient Not After : Oct 29 12:42:18 2031 GMT STORE vpxd Alias : vpxd Not After : Oct 29 12:42:18 2031 GMT STORE vpxd-extension Alias : vpxd-extension Not After : Oct 29 12:42:18 2031 GMT STORE SMS Alias : sms_self_signed Not After : Oct 27 21:47:48 2029 GMT STORE APPLMGMT_PASSWORD STORE data-encipherment Alias : data-encipherment Not After : Oct 21 21:28:25 2029 GMT STORE BACKUP_STORE
5.如果有任何过期的证书,请参阅 KBVxRail:由于证书过期,无法登录 vCenter(客户可纠正)来更新过期的证书。
6.在 PSC 上, 将本地主机名与存储在MACHINE_SS中的名称进行比较
/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhostOutput should be similar to following: psc.xxx.eg /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store MACHINE_SSOutput should be similar to following: X509v3 Subject Alternative Name: email:email@acme.com, DNS:psc.xxx.eg
7.比较上面的输出。如果不匹配(例如在编辑 DNS 记录之前在 DNS 服务器上缓存的 DNS:psc.xxx.eg.xxx.eg),则继续执行后续步骤。
通过 SSH 连接到 PSC 虚拟机,并通过运行以下命令启动证书管理器:
root@psc [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager
使用选项 8 -> 8。重置所有证书。
遵循以下步骤:
确认“是否要使用配置文件生成所有证书:选项 [Y/N]”
输入凭据
输入值
将“IPAddress”字段留空
在“Hostname”中输入 PSC 的 FQDN
VMCA“Name”字段是要创建的新根 CA 的名称(例如“VxRail CA”)
确认“Continue operation: Option[Y/N] ?”
确认“Continue operation: Option[Y/N] ?”
重新启动 PSC 和 vCenter 上的所有服务
service-control --stop --all service-control --start --all
8.确保 vCenter 关键服务已启动并运行:
root@vcenter [ ~ ]# service-control --status --allRunning: applmgmt lwsmd vmafdd vmonapi vmware-analytics vmware-certificatemanagement vmware-cm vmware-content-library vmware-eam vmware-perfcharts vmware-postgres-archiver vmware-rhttpproxy vmware-sca vmware-sps vmware-statsmonitor vmware-topologysvc vmware-vapi-endpoint vmware-vmon vmware-vpostgres vmware-vpxd vmware-vpxd-svcs vmware-vsan-health vmware-vsm vsphere-client vsphere-ui Stopped: vmcam vmware-imagebuilder vmware-mbcs vmware-netdumper vmware-pod vmware-rbd-watchdog vmware-updatemgr vmware-vcha vsan-dps
受影响的产品
VxRail Software推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/9377.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
微信支付宝扫一扫,打赏作者吧~休息一下~~
萌ICP备20248119号
