成功案例 品牌网站长沙电商优化
概述
早期VMware的用户随后“十年之期”已到,陆陆续续出现各种登录问题,证书报错告警等,主要包含6.5到7.0的版本,VMware服务器虚拟化环境涉及的证书及类型较多,在实际更新中会出现各种奇怪的问题,有些坑耗费了大量的troubleshooting时间,极端情况下一天能看到十多遍如下报错😂
Reset status : 85% Completed [starting services...]
Error while starting services, please see service-control log for more details
Status : 0% Completed [Reset operation failed]please see /var/log/vmware/vmcad/certificate-manager.log for more information.本文整理了一个近期的更新案例,以及之前处理过的一些问题,仅作参考
证书类型简介
一套vCenter的运行环境主要包含以下一些证书,在需要整体证书更新的场景中均需要进行评估:
- CA根证书颁发机构,用于签发其他组件的证书,其他证书的有效期不会超过根证书
- SSL证书,用于计算机的安全 SSL 连接,vCenter 主机的 HTTPS 通信(如 Web UI、API 访问)
- 主要的解决方案证书
- STS证书,用于 vCenter SSO(Single Sign-On)身份验证和令牌签发,更新方式与其他证书不同
- 主机内部证书,当主机被vCenter托管后用于vCenter 与 ESXi 主机间的双向认证
vCenter6.7环境证书更新案例
前不久刚为一个纯IP部署的VCSA6.7环境更新了从root密码到所有相关联证书的更新,相当具有代表性和说服力,一方面6.7和7.0环境应该是目前需要证书更新的“主力军”,另一方面6.7在某些操作上因为环境原因会更为复杂,更有举例的价值
需要重点做下说明,网上及官方文章基本是基于域名部署的vCenter,基本没有纯IP部署的环境,以下通过Lab环境还原几天前生产环境的一个证书更新案例
原生产环境概述:
- VCSA使用IP部署
- 于2015年部署使用整10年
- 近期VC内逐步出现STS证书,主机证书等相关证书告警
- root账户已无法正常登录
文内涉及的一些工具见附件,开始操作前做好完成备份,并记录快照!
root账户密码重置
用户基本从没用过root账号,当前root账户也理所应当的被锁了,因此首先重置root账号
重启VCSA,进入如下引导界面后按键盘“e”进入启动编辑项
在启动编辑项内consoleblank=0 后面添加rw init=/bin/bash,如下图,完成后按F10启动
进入编辑模式,使用passwd直接重置root密码
## 重置root密码
root [/]# passwd
## 重启
root [/]# umount /
root [/]# reboot -f
root密码的默认修改周期为90天,若不希望频繁修改,可使用passwd -x 命令修改天数,以下案例将周期更改为10年
STS证书更新
vCenter正常启动后使用CLI工具SSH连入vCenter,运行shell进入BASH
首先运行chsh -s /bin/bash root用于WinSCP连入后自动进入BASH,否则连接会报错
Connected to service* List APIs: "help api list"* List Plugins: "help pi list"* Launch BASH: "shell"Command>
Command> shell
Shell access is granted to root
root@photon-machine [ ~ ]#
root@photon-machine [ ~ ]# chsh -s /bin/bash root
打开WinSCP,输入相关信息连接
导航到/tmp目录,将可能用到的脚本及工具等拖入其中
进入/tmp目录,运行check脚本检查当前sts证书状态
root@photon-machine [ ~ ]# cd /tmp
root@photon-machine [ /tmp ]# python checksts.py2 VALID CERTS
================LEAF CERTS:[] Certificate 82:BE:A4:FD:2A:4F:D5:00:0B:7E:5A:0C:D8:59:8F:8F:FF:53:D7:A1 will expire in 3643 days (10 years).ROOT CERTS:[] Certificate 40:3B:B4:97:41:B8:22:3C:9E:C4:67:03:1B:46:D8:6D:C9:13:3E:AB will expire in 3643 days (10 years).0 EXPIRED CERTS
================LEAF CERTS:NoneROOT CERTS:None
root@photon-machine [ /tmp ]#运行fixsts脚本自动进行续订
root@photon-machine [ /tmp ]# chmod +x fixsts.sh
root@photon-machine [ /tmp ]# ./fixsts.sh
NOTE: This works on external and embedded PSCs
This script will do the following
1: Regenerate STS certificate
What is needed?
1: Offline snapshots of VCs/PSCs
2: SSO Admin Password
IMPORTANT: This script should only be run on a single PSC per SSO domain
==================================
Resetting STS certificate for photon-machine started on Sat Jun 14 16:43:54 UTC 2025Detected DN: cn=10.102.102.55,ou=Domain Controllers,dc=vsphere,dc=local
Detected PNID: 10.102.102.55
Detected PSC: 10.102.102.55
Detected SSO domain name: vsphere.local
Detected Machine ID: 660063d0-76b8-4013-82f1-c40a54e6d252
Detected IP Address: 10.102.102.55
Domain CN: dc=vsphere,dc=local
==================================
==================================Detected Root's certificate expiration date: 2035 Jun 5
Detected today's date: 2025 Jun 14
==================================Exporting and generating STS certificateStatus : Success
Using config file : /tmp/vmware-fixsts/certool.cfg
Status : SuccessEnter password for administrator@vsphere.local:
Amount of tenant credentials: 1
Exporting tenant 1 to /tmp/vmware-fixstsDeleting tenant 1Amount of trustedcertchains: 1
Exporting trustedcertchain 1 to /tmp/vmware-fixstsDeleting trustedcertchain 1Applying newly generated STS certificate to SSO domain
adding new entry "cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local"adding new entry "cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local"Replacement finished - Please restart services on all vCenters and PSCs in your SSO domain
==================================
IMPORTANT: In case you're using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure
==================================
==================================
root@photon-machine [ /tmp ]#续订后继续运行check脚本进行检查,若信息显示有异常可使用以下命令进行sts证书详细信息的输出及确认,期间需要提供LDAP密码即SSO管理员账号凭据
DMN="$(/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost)"; DMN_DN="dc=$(echo "$DMN" | sed -e 's/\./\,dc=/g')"; ldapsearch -H ldap://localhost -D "cn=administrator,cn=users,$DMN_DN" -W -b "cn=tenantcredential-1,cn=$DMN,cn=Tenants,cn=IdentityManager,cn=Services,$DMN_DN" userCertificate -o ldif-wrap=no | sed -s -n '11p' | sed 's/userCertificate:: //' | awk '{print "-----BEGIN CERTIFICATE-----\n"$0"\n-----END CERTIFICATE-----"}'|openssl x509 -noout -text -in /dev/stdin
最后重启所有服务
VMCA证书更新(CA根证书及SSL证书等)
此部分是更新证书的核心内容,首先使用命令查询当前VMCA内证书的状态,应该于WebUI内看到的一致(如果还没过期)
root@photon-machine [ /tmp ]# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
STORE MACHINE_SSL_CERT
Alias : __MACHINE_CERTNot After : Jun 10 19:02:40 2027 GMT
STORE TRUSTED_ROOTS
Alias : 403bb49741b8223c9ec467031b46d86dc9133eabNot After : Jun 5 07:02:40 2035 GMT
STORE TRUSTED_ROOT_CRLS
Alias : 02192decad8481f819ffe52cd7c709c8f94b525f
Alias : 216edf2bf306d42ba42d17bbea1cd282abcc3da1
STORE machine
Alias : machineNot After : Jun 10 06:53:24 2027 GMT
STORE vsphere-webclient
Alias : vsphere-webclientNot After : Jun 10 06:53:25 2027 GMT
STORE vpxd
Alias : vpxdNot After : Jun 10 06:53:25 2027 GMT
STORE vpxd-extension
Alias : vpxd-extensionNot After : Jun 10 06:53:26 2027 GMT
STORE APPLMGMT_PASSWORD
STORE data-encipherment
Alias : data-enciphermentNot After : Jun 10 06:55:15 2027 GMT
STORE SMS
Alias : sms_self_signedNot After : Jun 10 07:07:18 2035 GMT
root@photon-machine [ /tmp ]#在更新前,确认如下内容:
- 当前的Hostname与PNID,在FQDN部署的vCenter场景下,这两个值应该一致,若不一致,需要进行修改,参考后文。纯IP部署环境无强制要求
- 确认vCenter的Host内容,在FQDN环境下,需要确认是否有当前IP于FQDN的记录,若有异常需要进行修改,同时不论在任何环境下,记录Hosts内出现的所有IP及域名
root@photon-machine [ /tmp ]# hostname
photon-machine
root@photon-machine [ /tmp ]#
root@photon-machine [ /tmp ]# /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
10.102.102.55
root@photon-machine [ /tmp ]#
root@photon-machine [ /tmp ]# cat /etc/hosts
# Begin /etc/hosts (network card version)127.0.0.1 localhost.localdomain
127.0.0.1 localhost
127.0.0.1 photon-machine
# End /etc/hosts (network card version)
root@photon-machine [ /tmp ]#/usr/lib/vmware-vmca/bin/certificate-manager进入VMCA,选择8重新签订所有证书
按照向导提供相关证书信息,这一步是关键的关键,注意几点:
- 整体基本Y下一步
- 其中的一些地理信息,包括Country,State,Locality建议根据实际情况进行填写
- IPAddress选项建议同时输入IP及127.0.0.1
- 重要!在Hostname中,如果是FQDN环境,一般输入完整域名即可,在IP环境,建议输入在Hosts内看到的所有域名及IP记录,在很多场景仅使用IP会导致服务启动失败!
Note : Use Ctrl-D to exit.
Option[1 to 8]: 8
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : YPlease provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:Please configure certool.cfg with proper values before proceeding to next step.Press Enter key to skip optional parameters or use Default value.Enter proper value for 'Country' [Default value : US] : CNEnter proper value for 'Name' [Default value : CA] : CAEnter proper value for 'Organization' [Default value : VMware] :Enter proper value for 'OrgUnit' [Default value : VMware Engineering] :Enter proper value for 'State' [Default value : California] :JiangsuEnter proper value for 'Locality' [Default value : Palo Alto] :Suzhou
##输入相关IP信息
Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 10.102.102.55,127.0.0.1Enter proper value for 'Email' [Default value : email@acme.com] :
##建议提供所有相关的域名及IP信息
Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : localhost.localdomain,loc alhost,photon-machine,10.102.102.55,127.0.0.1Enter proper value for VMCA 'Name' :VMCA-New
Continue operation : Option[Y/N] ? : yYou are going to reset by regenerating Root Certificate and replace all certificates using VMCA
Continue operation : Option[Y/N] ? : y
Get site nameCompleted [Reset Machine SSL Cert...]
default-site
Lookup all services
Get service default-site:13689399-d4bf-41d0-a54f-3ead3d35235b
Update service default-site:13689399-d4bf-41d0-a54f-3ead3d35235b; spec: /tmp/svcspec_lrchgbz6
Get service default-site:f03dccff-f154-4328-ac48-ae43416b7543
Update service default-site:f03dccff-f154-4328-ac48-ae43416b7543; spec: /tmp/svcspec_nkmsde0z
Get service default-site:100d1ab0-000b-48b7-bca8-a40d4bcde98c
Update service default-site:100d1ab0-000b-48b7-bca8-a40d4bcde98c; spec: /tmp/svcspec_zluap0vc
Get service 804a3871-c07d-40ff-bd3f-6cd78c2a4df4_com.vmware.vsphere.client
Don't update service 804a3871-c07d-40ff-bd3f-6cd78c2a4df4_com.vmware.vsphere.client
Get service 2ee86ea8-18e1-4b9e-87fb-297a145bb2dc
Update service 2ee86ea8-18e1-4b9e-87fb-297a145bb2dc; spec: /tmp/svcspec_gh44w9o8
Get service befcd8a6-8724-42c8-8cfa-533acf7973ef
Update service befcd8a6-8724-42c8-8cfa-533acf7973ef; spec: /tmp/svcspec_xlbe8joc
Get service a43d5048-cc03-4609-a120-8c48fb51e9c2
Update service a43d5048-cc03-4609-a120-8c48fb51e9c2; spec: /tmp/svcspec_hhw655yz
Get service 0bf9f611-8588-4e18-941f-d0714dccdb5e
Update service 0bf9f611-8588-4e18-941f-d0714dccdb5e; spec: /tmp/svcspec_fs5dpcp0
Get service 970effb6-6e6f-4a56-93c9-c04566b102d6
Update service 970effb6-6e6f-4a56-93c9-c04566b102d6; spec: /tmp/svcspec_3x8282su
Get service 0b99acad-b6c1-451e-a959-c465981b4875
Update service 0b99acad-b6c1-451e-a959-c465981b4875; spec: /tmp/svcspec_qn77w9bh
Get service c5a9f421-2bb0-4982-9d16-22684bca2c6a
Update service c5a9f421-2bb0-4982-9d16-22684bca2c6a; spec: /tmp/svcspec_yq79ljg2
Get service 490a8654-46d6-48b0-8cbf-bc8da3da38ca
Update service 490a8654-46d6-48b0-8cbf-bc8da3da38ca; spec: /tmp/svcspec_fxly36nl
Get service 804a3871-c07d-40ff-bd3f-6cd78c2a4df4
Update service 804a3871-c07d-40ff-bd3f-6cd78c2a4df4; spec: /tmp/svcspec_hgfpyxmd
Get service 3157def3-5fd5-4dfd-839a-a3ae7709bbb3
Update service 3157def3-5fd5-4dfd-839a-a3ae7709bbb3; spec: /tmp/svcspec_14zjgiat
Get service c0709008-9dd4-4466-8a44-e80eb92856e7
Update service c0709008-9dd4-4466-8a44-e80eb92856e7; spec: /tmp/svcspec_qwa4uo64
Get service 373ac891-263b-4f55-b209-d30ddfe6787f
Update service 373ac891-263b-4f55-b209-d30ddfe6787f; spec: /tmp/svcspec_i4urx15k
Get service 5854f351-8ebd-4f8f-9555-f2d6efd14023
Update service 5854f351-8ebd-4f8f-9555-f2d6efd14023; spec: /tmp/svcspec_kqpb8ot_
Get service 6f63bae6-2a9c-4769-9b51-39654d23b421
Update service 6f63bae6-2a9c-4769-9b51-39654d23b421; spec: /tmp/svcspec_w1zb1u5k
Get service efa50d73-fef7-48ff-ac76-15f15179bbcd
Update service efa50d73-fef7-48ff-ac76-15f15179bbcd; spec: /tmp/svcspec_t562ao08
Get service c5a9f421-2bb0-4982-9d16-22684bca2c6a_kv
Update service c5a9f421-2bb0-4982-9d16-22684bca2c6a_kv; spec: /tmp/svcspec_6bzxghhj
Get service b95feae0-aacd-47bc-a120-3177a1959d88
Update service b95feae0-aacd-47bc-a120-3177a1959d88; spec: /tmp/svcspec_7u0xihti
Get service 58996040-ee24-4e3e-8290-8e39952684f0
Update service 58996040-ee24-4e3e-8290-8e39952684f0; spec: /tmp/svcspec_yu5fbv2d
Get service 34eed7ab-33ca-4868-8129-ef91c3827902
Update service 34eed7ab-33ca-4868-8129-ef91c3827902; spec: /tmp/svcspec_0lliwhh9
Get service 305eaace-3f9f-4841-be06-2b6d6c245593
Update service 305eaace-3f9f-4841-be06-2b6d6c245593; spec: /tmp/svcspec_zfbntedw
Get service c5a9f421-2bb0-4982-9d16-22684bca2c6a_authz
Update service c5a9f421-2bb0-4982-9d16-22684bca2c6a_authz; spec: /tmp/svcspec_kqy_yewm
Get service 49d9dde5-8d5a-47ac-8370-f8543ab46c6c
Update service 49d9dde5-8d5a-47ac-8370-f8543ab46c6c; spec: /tmp/svcspec_8rlr2nyx
Get service 2eedaf37-6b19-4525-a373-5d0c686478a4
Update service 2eedaf37-6b19-4525-a373-5d0c686478a4; spec: /tmp/svcspec_ny6d0vdk
Get service c049cc57-ec94-49be-a1f1-c4319cd0926b
Update service c049cc57-ec94-49be-a1f1-c4319cd0926b; spec: /tmp/svcspec_ejdn9ezx
Get service df235693-49bf-4fe5-ad07-ed231f9b2d1d
Update service df235693-49bf-4fe5-ad07-ed231f9b2d1d; spec: /tmp/svcspec_rw0kld8h
Get service 43bdbdcc-2d98-419c-ac17-77ae815939a4
Update service 43bdbdcc-2d98-419c-ac17-77ae815939a4; spec: /tmp/svcspec_6156niys
Get service f4390d9f-ebea-431c-aadd-d77864e7827f
Update service f4390d9f-ebea-431c-aadd-d77864e7827f; spec: /tmp/svcspec_4w08ljqp
Get service e6c89116-f510-4d0e-843b-e063be5b8a23
Update service e6c89116-f510-4d0e-843b-e063be5b8a23; spec: /tmp/svcspec_o4079b25
Get service 664821f7-b7ef-48ed-803e-4ecd8ff44eae
Update service 664821f7-b7ef-48ed-803e-4ecd8ff44eae; spec: /tmp/svcspec_rwp5t973
Get service e6de6c2b-9edf-4145-a43d-0153b1230b62
Update service e6de6c2b-9edf-4145-a43d-0153b1230b62; spec: /tmp/svcspec__4zeyvjm
Get service f8b5a505-adcf-4416-a53c-03ae0493c7ea
Update service f8b5a505-adcf-4416-a53c-03ae0493c7ea; spec: /tmp/svcspec_hu_3svac
Updated 34 service(s)
Status : 60% Completed [Reset vpxd-extension Cert...]
2025-06-13T02:09:53.372Z Updating certificate for "com.vmware.vim.eam" extension2025-06-13T02:09:53.764Z Updating certificate for "com.vmware.rbd" extension2025-06-13T02:09:54.149Z Updating certificate for "com.vmware.imagebuilder" extensionReset status : 100% Completed [Reset completed successfully]至此更新成功
主机证书更新
进入vCenter管理控制台,选中过期主机-配置-证书,直接更新进行证书续订
选择是
到此已基本完成所有证书更新工作,可以看到上面证书的日期已更新,原有的证书在下面进行了备份
相关对接系统更新
证书更新后,所有更vCenter的对接的相关系统需要重新接受新指纹,进行新SSL证书的接受,可能涉及的系统包括但不限于:
- ESXi主机
- 备份产品:Veeam,NBU,Commvault等
- 监控于日志系统:Operations,Logs,Prometheus等
- 第三方产品与插件:NSX,SRM,Tanzu等
- 其他产品:如Horizon,安全产品等
Veeam环境中,重新在Inventory中编辑vCenter
重新接收新证书,完成即可
Operations里在系统管理-集成内重新测试vCenter连接并接受新证书
其他证书相关问题及注意事项
以下整理了可能会用到的更新证书相关的一些问题,若以上仍无法正常更新或存在其他问题,可进行参考
TIP:若运维窗口时间允许,在证书相关操作中没完成一步建议进行服务的重启
service-control --stop --all && service-control --start --all
确认及修改Hostname及PNID
PNID(Primary Network Identifier,主网络标识符) 是证书配置中的关键参数,直接影响服务通信和身份验证,按照文档要求在证书操作前需要确保PNID于Hostname保持一致(仅限于FQDN部署环境,本例IP环境影响不大)
以下命令用于检查PNID与Hostname
root@photon-machine [ / ]# /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
10.102.102.55root@photon-machine [ / ]# hostname
photon-machine若存在不一致的情况,需要更改PNID或Hostname
以下命令用于修改PNID
root@photon-machine [ / ]# /usr/lib/vmware-vmafd/bin/vmafd-cli set-pnid --server-name localhost --pnid 10.102.102.55
Hostname可直接在vc:5480内的网络设置内进行修改,根据以往经验存在失败几率,建议直接通过CLI进行更新
root@photon-machine [ / ]# /opt/vmware/share/vami/vami_config_netMain Menu0) Show Current Configuration (scroll with Shift-PgUp/PgDown)
1) Exit this program
2) Default Gateway
3) Hostname
4) DNS
5) Proxy Server
6) IP Address Allocation for eth0
Enter a menu number [0]: 3Warning: if any of the interfaces for this VM use DHCP,
the Hostname, DNS, and Gateway parameters will be
overwritten by information from the DHCP server.Type Ctrl-C to go back to the Main MenuNew hostname [photon-machine]: 10.102.102.55
== set_ipv4 ==
DEFULT_INT: eth0
DEFAULT_IPV4: 10.102.102.55
HN: 10
DN: 102.102.55
================ set_ipv6 ==
DEFULT_INT: eth0
DEFAULT_IPV6:
HN: 10
DN: 102.102.55
==============Host name has been set to 10.102.102.55Main Menu0) Show Current Configuration (scroll with Shift-PgUp/PgDown)
1) Exit this program
2) Default Gateway
3) Hostname
4) DNS
5) Proxy Server
6) IP Address Allocation for eth0
Enter a menu number [0]: 1root@photon-machine [ / ]# hostname
10.102.102.55完成后再次运行命令检查
使用lsdoctor修复证书
lsdoctor 是 VMware 官方提供的一款诊断和修复工具,主要用于解决 vCenter Lookup Service数据库 以及 vCenter 本地数据中的问题。它能够检测和修复因证书错误、拓扑变更、升级失败或维护操作不当导致的各种问题
如果按照前文操作,重新签发证书后,还是无法正常运行和启动服务器,可尝试使用lsdoctor进行修复
同样把工具下载后通过WinSCP扔到tmp目录下,进入目录进行解压
root@10 [ /tmp ]# unzip lsdoctor-250331.zip
Archive: lsdoctor-250331.zip
9382ea0488e19f33a27ce096b84e2ca95c8a9ee2creating: lsdoctor-250331/inflating: lsdoctor-250331/CHANGELOGinflating: lsdoctor-250331/READMEinflating: lsdoctor-250331/config_log.inicreating: lsdoctor-250331/lib/inflating: lsdoctor-250331/lib/__init__.pyinflating: lsdoctor-250331/lib/lsdoctor_defaults.pyinflating: lsdoctor-250331/lib/lsreport.pyinflating: lsdoctor-250331/lib/lstool_parse.pyinflating: lsdoctor-250331/lib/lstool_scan.pyinflating: lsdoctor-250331/lib/pscha.pyinflating: lsdoctor-250331/lib/rebuild.pyinflating: lsdoctor-250331/lib/solutionusers.pyinflating: lsdoctor-250331/lib/stale.pyinflating: lsdoctor-250331/lib/trust.py进入目录,使用lsdoctor.py -l,此选项用于检查查找服务可能存在的问题,仅检测不会对业务造成影响
root@10 [ /tmp ]# cd lsdoctor-250331
root@10 [ /tmp/lsdoctor-250331 ]#
root@10 [ /tmp/lsdoctor-250331 ]# python lsdoctor.py -lATTENTION: You are running a reporting function. This doesn't make any changes to your environment.You can find the report and logs here: /var/log/vmware/lsdoctor2025-06-15T02:31:07 INFO main: You are reporting on problems found across the SSO domain in the lookup service. This doesn't make changes.
2025-06-15T02:31:07 INFO live_checkCerts: Checking services for trust mismatches...
2025-06-15T02:31:07 INFO generateReport: Listing lookup service problems found in SSO domain
2025-06-15T02:31:07 INFO generateReport: No issues detected in the lookup service entries for 10.102.102.55 (Embedded).
2025-06-15T02:31:07 INFO generateReport: Report generated: /var/log/vmware/lsdoctor/10.102.102.55-2025-06-15-023107.json若检查中出现error问题,运行lsdoctor.py -t进行修复,需要提供SSO管理员凭据
root@10 [ /tmp/lsdoctor-250331 ]# python lsdoctor.py -tWARNING: This script makes permanent changes. Before running, please take *OFFLINE* snapshotsof all VC's and PSC's at the SAME TIME. Failure to do so can result in PSC or VC inconsistencies.Logs can be found here: /var/log/vmware/lsdoctor2025-06-15T02:31:31 INFO main: You are checking for and fixing SSL trust mismatches in the local SSO site. NOTE: Please run this script one PSC or VC per SSO site.Have you taken offline (PSCs and VCs powered down at the same time) snapshots of all nodes in the SSO domain or supported backups?[y/n]yProvide password for administrator@vsphere.local:
2025-06-15T02:31:37 INFO __init__: Retrieved services from SSO site: default-site
2025-06-15T02:31:37 INFO findAndFix: Checking services for trust mismatches...
2025-06-15T02:31:37 INFO findAndFix: No mismatches were found
2025-06-15T02:31:37 INFO main: Please restart services on all PSC's and VC's when you're done.关于lsdoctor的更多问题可参考以下KB
https://knowledge.broadcom.com/external/article/320837/using-the-lsdoctor-tool.html%C2%A0
使用vCert工具进行证书更新及维护
在7.0及以上版本,VMware推荐使用vCert进行证书管理,vCert相当于一个增强版的VMCA,管理的维度更为细致,同时也提供了VMCA中未包含的一些功能,详细使用说明参考KB
https://knowledge.broadcom.com/external/article/385107
续订Data-encipherment证书
在之前所有证书更新后,Data-encipherment这张证书并未更新,这张证书用于SSL数据加密,目前碰到的案例中暂时没发现该证书对业务及管理的影响,如需要更新,参考以下KB
https://knowledge.broadcom.com/external/article/312152/replacing-an-expired-dataencipherment-ce.html#:~:text=This%20article%20provides%20steps%20to%20regenerate%20certificate%20in,certificate%20signed%20by%20the%20VMware%20Certificate%20Authority%20%28VMCA%29.
清理老的证书备份
完成所有的证书更新后,老的证书会以名称“bkp_”备份在VECS中,一般不用理会,若需要,可以使用以上提到的vCert工具进行清理
vCert菜单中选择11进行清除
总结
- 证书是任何IT系统隐形的基石,就像现实中的护照或营业执照,证书是服务身份的唯一可信凭证,任何证书的运维及管理都需要提高重视程度
- 永远不要假设“默认配置”适合你,教程和文档的“标准流程”可能忽略边缘场景,任何操作前先确认环境的特殊性及流程的工作逻辑
- 关于证书的任何操作前做好备份及快照!!!
- 善用日志,90%的证书问题会在日志中直接暴露原因
- 提升证书的生命周期管理,设置足够的日历提醒等