vCenter Server Appliance 6.7 SSL Expired

Pekan lalu, vCenter Appliance yang digunakan oleh team internal Excellent mengalami error. Errornya adalah tidak bisa akses vSphere Client, ada tulisan “504 Service Unavailable”. Saya berindikasi hal ini disebabkan oleh database vpostgres yang crash (Baca : vCenter 6.7 Error Executing VMware-vPostgres (PANIC: could not locate a valid checkpoint record)). Setelah saya cek via SSH menggunakan perintah service-control –all –status hasilnya banyak service yang stopped (vsphere-client, applmgmt, vpxd dan beberapa service crucial lainnya) tetapi tidak dengan database vpostgres, database berjalan sebagaimana mestinya. Makin bingung dah apa penyebab error vCenter saya 😀 .

Setelah di telusuri lebih dalam, ternyata SSL certificate yang digunakan vCenter expired. Kebetulan SSL certificate expired di tanggal 1 Januari 2020. SSL. Certificate yang digunakan memang SSL certificate trusted dari Sectigo dan hanya berlaku selama 1 tahun, bukan self signed certificate yang tidak trusted. Kok ga diperpanjang? 😀 . Jadi ceritanya, di awal tahun 2019 Excellent beli SSL tersebut hanya untuk uji coba makanya tidak di perpanjang, lagipula vCenter hanya di akses oleh team internal Excellent.

Akhirnya saya coba kembalikan self sign certificate vCenter yang sudah ada saat teman-teman deploy vCenter Appliance. Walaupun sebenarnya saya belum tahu apakah benar SSL certificate tersebut adalah penyebab error vCenter, tapi apa salahnya mencoba 😀 . Berikut adalah langkah-langkah untuk melakukannya.

Reset SSL Certificates

  • Akses vCenter dengan akun root via SSH
  • Ketikkan perintah berikut untuk menggunakan certificate-manager
    > shell
    # /usr/lib/vmware-vmca/bin/certificate-manager
  • Ketik “8
    		 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
    		|                                                                     |
    		|      *** Welcome to the vSphere 6.7 Certificate Manager  ***        |
    		|                                                                     |
    		|                   -- Select Operation --                            |
    		|                                                                     |
    		|      1. Replace Machine SSL certificate with Custom Certificate     |
    		|                                                                     |
    		|      2. Replace VMCA Root certificate with Custom Signing           |
    		|         Certificate and replace all Certificates                    |
    		|                                                                     |
    		|      3. Replace Machine SSL certificate with VMCA Certificate       |
    		|                                                                     |
    		|      4. Regenerate a new VMCA Root Certificate and                  |
    		|         replace all certificates                                    |
    		|                                                                     |
    		|      5. Replace Solution user certificates with                     |
    		|         Custom Certificate                                          |
    		|                                                                     |
    		|      6. Replace Solution user certificates with VMCA certificates   |
    		|                                                                     |
    		|      7. Revert last performed operation by re-publishing old        |
    		|         certificates                                                |
    		|                                                                     |
    		|      8. Reset all Certificates                                      |
    		|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
    Note : Use Ctrl-D to exit.
    Option[1 to 8]:8
    
  • Masukkan username administrator beserta passwordnya
    Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y
    Please provide valid SSO and VC privileged user credential to perform certificate operations.
    Enter username [Administrator@vsphere.local]:administrator@excellent.co.id
    Enter password
  • Isi informasi self signed certificate dengan default value ataupun sesuai dengan keinginan teman-teman
    certool.cfg file exists, Do you wish to reconfigure : Option[Y/N] ? : y
    Press Enter key to skip optional parameters or use Previous value.
    Enter proper value for 'Country' [Previous value : US] : ID
    Enter proper value for 'Name' [Previous value : vc67.excellent.co.id] : vc67.excellent.co.id
    Enter proper value for 'Organization' [Previous value : VMware] : Excellent
    Enter proper value for 'OrgUnit' [Previous value : VMware Engineering] : Support Excellent
    Enter proper value for 'State' [Previous value : California] : Jawa Barat
    Enter proper value for 'Locality' [Previous value : CA] : Bekasi
    Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] :
    Enter proper value for 'Email' [Previous value : support@vmware.com] : support@excellent.co.id
    Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vc67.excellent.co.id
    Enter proper value for VMCA 'Name' :vc67.excellent.co.id
    Continue operation : Option[Y/N] ? : y
    You are going to reset by regenerating Root Certificate and replace all certificates using VMCA
    Continue operation : Option[Y/N] ? : y
  • Tunggu hingga proses generate dan restart service selesai
    Get service ed5323c5-2f8c-4f82-8877-88fa3f7a6e18
    Don't update service ed5323c5-2f8c-4f82-8877-88fa3f7a6e18
    Get service 558af637-fb02-4229-9f66-145a8f9eaeb1
    Don't update service 558af637-fb02-4229-9f66-145a8f9eaeb1
    Get service 558af637-fb02-4229-9f66-145a8f9eaeb1_com.vmware.vsphere.client
    Don't update service 558af637-fb02-4229-9f66-145a8f9eaeb1_com.vmware.vsphere.client
    Get service ed5323c5-2f8c-4f82-8877-88fa3f7a6e18_authz
    Don't update service ed5323c5-2f8c-4f82-8877-88fa3f7a6e18_authz
    Get service h5-dr-adeeafa0-cb96-4c6c-936b-707d55d2cab2
    Don't update service h5-dr-adeeafa0-cb96-4c6c-936b-707d55d2cab2
    Get service h5-dr-0b94028b-ea7b-497d-9104-e03c3000b7c2
    Don't update service h5-dr-0b94028b-ea7b-497d-9104-e03c3000b7c2
    Get service adeeafa0-cb96-4c6c-936b-707d55d2cab2
    Don't update service adeeafa0-cb96-4c6c-936b-707d55d2cab2
    Reset status : 100% Completed [Reset completed successfull
  • Test akses vSphere Client via web browser
  • Lihat certificate vSphere Client
  • Klik View Certificate

Leave a Reply

Your email address will not be published. Required fields are marked *