vCenter 7.0.3报错500之ssl证书过期更换！

vCenter 7.0.3报错500之ssl证书过期更换！

一、背景描述

打开vCenter页面提示如下错误！

登录5480管理界面直接展示报错信息！

二、更换ssl证书

2.1、查看哪些证书到期

如下命令查看哪些证书到期

for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmwecs-cli entry list --store $i --text | egrep "Alias|Not After"; done

root@localhost [ ~ ]# for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; /usr/lib/vmwecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
STORE MACHINE_SSL_CERT
Alias :	__MACHINE_CERT
            Not After : Oct 13 23:13:18 2024 GMT
STORE TRUSTED_ROOTS
Alias :	8611208819196c7f5edaf9b5153c0f71ace3b394
            Not After : Oct  8 11:13:18 2032 GMT
STORE TRUSTED_ROOT_CRLS
Alias :	25bd70b5403dc5e86d5dc7f82f91fcf13b0f380d
STORE machine
Alias :	machine
            Not After : Oct  8 11:13:18 2032 GMT
STORE vsphere-webclient
Alias :	vsphere-webclient
            Not After : Oct  8 11:13:18 2032 GMT
STORE vpxd
Alias :	vpxd
            Not After : Oct  8 11:13:18 2032 GMT
STORE vpxd-extension
Alias :	vpxd-extension
            Not After : Oct  8 11:13:18 2032 GMT
STORE hvc
Alias :	hvc
            Not After : Oct  8 11:13:18 2032 GMT
STORE data-encipherment
Alias :	data-encipherment
            Not After : Oct  8 11:13:18 2032 GMT
STORE APPLMGMT_PASSWORD
STORE SMS
Alias :	sms_self_signed
            Not After : Oct 14 11:17:55 2032 GMT
STORE wcp
Alias :	wcp
            Not After : Oct  8 11:13:18 2032 GMT

2.2、报错信息处理

更换证书报错：
Certificate Manager tool do not support vCenter HA systems

Option[1 to 8]: 1

Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:


Certificate Manager tool do not support vCenter HA systems
root@localhost [ ~ ]# 
root@localhost [ ~ ]# mkdir /var/tmp/vmware

解决办法：mkdir /var/tmp/vmware

2.3、更换证书

root@localhost [ ~ ]# /usr/lib/vmware-vmca/bin/certificate-manager 
		 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
		|                                                                     |
		|      *** Welcome to the vSphere 6.8 Certificate Manager  ***        |
		|                                                                     |
		|                   -- Select Operation --                            |
		|                                                                     |
		|      1. Replace Machine SSL certificate with Custom Certificate     |
		|                                                                     |
		|      2. Replace VMCA Root certificate with Custom Signing           |
		|         Certificate and replace all Certificates                    |
		|                                                                     |
		|      3. Replace Machine SSL certificate with VMCA Certificate       |
		|                                                                     |
		|      4. Regenerate a new VMCA Root Certificate and                  |
		|         replace all certificates                                    |
		|                                                                     |
		|      5. Replace Solution user certificates with                     |
		|         Custom Certificate                                          |
		|         NOTE: Solution user certs will be deprecated in a future    |
		|         release of vCenter. Refer to release notes for more details.|
		|                                                                     |
		|      6. Replace Solution user certificates with VMCA certificates   |
		|                                                                     |
		|      7. Revert last performed operation by re-publishing old        |
		|         certificates                                                |
		|                                                                     |
		|      8. Reset all Certificates                                      |
		|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 4
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : Y

Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:
Enter password:
certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : Y

Press Enter key to skip optional parameters or use Previous value.

Enter proper value for 'Country' [Previous value : US] : 

Enter proper value for 'Name' [Previous value : CA] : 

Enter proper value for 'Organization' [Previous value : VMware] : 

Enter proper value for 'OrgUnit' [Previous value : VMware Engineering] : 

Enter proper value for 'State' [Previous value : California] : 

Enter proper value for 'Locality' [Previous value : Palo Alto] : 

Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 172.16.10.189

Enter proper value for 'Email' [Previous value : email@acme.com] : 

Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid FDomain Name(FQDN), For Example : example.domain.com] : 

Hostname should not be empty, please enter valid FQDN.

Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid FDomain Name(FQDN), For Example : example.domain.com] : 172.16.10.189

Enter proper value for VMCA 'Name' :172.16.10.189

You are going to regenerate Root Certificate and all other certificates using VMCA
Continue operation : Option[Y/N] ? : Y
Get site nameCompleted [Replacing Machine SSL Cert...]                  
default-first-site

2.4、更新完成

2025-03-18T02:55:42.802Z  Updating certificate for "com.vmware.vim.eam" extension


2025-03-18T02:55:43.147Z  Updating certificate for "com.vmware.rbd" extension


2025-03-18T02:55:43.496Z  Updating certificate for "com.vmware.imagebuilder" extension

Status : 100% Completed [All tasks completed successfully]