fail

VMware SSL Certificate Automation Tool – fails at vCenter Server

von

Früher setzte VMware noch mehr auf selbst erstellte Zertifikate zur Absicherung der vielen verschiedenen Serverdiensten. Doch mittlerweile ist für viele wie z.B. VMware Horizon View ein von einer Zertifizierungsstelle erzeugtes Zertifikat notwendig. Fängt man einmal mit dem Signieren an kommt man auch nicht mehr groß um die anderen Dienste herum. ESXi Server, vCenter Server, SSO Server, Update Manager, Inventory Dienst, Site Recovery Manager und noch viele mehr können bzw. müssen dementsprechend auch mit eigenen Zertifikaten versorgt werden.
Um dem Chaos etwas entgegen zu wirken hat VMware ein kleines Kommandozeilentool veröffentlicht – das VMware SSL Certificate Automation Tool. Momentan in der Version 1.0.1 bei VMware verfügbar.
2044696-examplecsr
 
Beim Updaten des vCenter Server Zertifikats bin ich auf folgenden Fehler gestoßen:

[19.06.2013 - 10:48:11,31]: ""Cannot reload the vCenter Server SSL certificates. The certificate might not be unique.""
[19.06.2013 - 10:48:11,31]: Deleting the new certificates and keys...
[19.06.2013 - 10:48:11,33]: Restoring the original certificates and keys...
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
[19.06.2013 - 10:48:11,36]: The vCenter certificate update failed.

[Expand Vollständiges Log]
[19.06.2013 – 10:48:04,48]: Validating Lookup Service connection
Intializing registration provider…
Getting SSL certificates for https://server.domain.info:7444/lookupservice/sdk
Getting SSL certificates for https://server.domain.info:7444/sso-adminserver/sdk
Getting SSL certificates for https://server.domain.info:7444/ims/STSService?wsdl
Successfully created dummy service, we have sufficient privileges
Successfully deleted dummy service, we have sufficient privileges
The file C:\tool\backup\VC\ROOT_LS_SSL_CHAIN.crt already exists. Overwriting…
The file C:\tool\backup\VC\1_LS_SSL_CHAIN.crt already exists. Overwriting…
Certificates saved successfully
Return code is: Success
[19.06.2013 – 10:48:09,05]: Cleaning any temporary files
[19.06.2013 – 10:48:09,05]: Backing up the certificates and keys from „C:\ProgramData\VMware\VMware VirtualCenter\SSL…“
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
[19.06.2013 – 10:48:09,08]: Copying the new certificates and keys to „C:\ProgramData\VMware\VMware VirtualCenter\SSL…“
[19.06.2013 – 10:48:09,10]: Creating the PKCS certificate file…
Could not reload vCenter SSL Certificates
[19.06.2013 – 10:48:10,35]: „“Cannot reload the vCenter Server SSL certificates. The certificate might not be unique.““
[19.06.2013 – 10:48:10,36]: Deleting the new certificates and keys…
[19.06.2013 – 10:48:10,36]: Restoring the original certificates and keys…
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
[19.06.2013 – 10:48:10,41]: Attempting rollback…
Could not reload vCenter SSL Certificates
[19.06.2013 – 10:48:11,31]: „“Cannot reload the vCenter Server SSL certificates. The certificate might not be unique.““
[19.06.2013 – 10:48:11,31]: Deleting the new certificates and keys…
[19.06.2013 – 10:48:11,33]: Restoring the original certificates and keys…
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
[19.06.2013 – 10:48:11,36]: The vCenter certificate update failed.
[/Expand]
Bei der Ursachenforschung bin ich auf einen hilfreichen Post in der Community gestoßen. Dort wird beschrieben, dass das Problem offenbar an einer fehlerhaften Zuordnung des LookupService mit dem vCenter liegt.
Behoben werden kann der Fehler durch das einsetzen der korrekten ID des LookupService in die vpxd.cfg des vCenter Servers.
Hier die Anleitung:

Steps:
1. Stop vCenter service
2. Look for your ID in LS_ServiceID.prop in folder C:\ProgramData\VMware\VMware VirtualCenter
3. Copy this ID (e.g. {C4672589-9258-42B1-90E2-1EF268BBD402}:5 )
4. Edit your vpxd.cfg in the same folder and replace
<serviceId>vCenterService</serviceId>
with
<serviceId>your ID</serviceId>
5. Start vCenter Service
Then the SSL automation tool works!
You don't need to revert the changes.

Anschließend hat auch das Updaten des Zertifikates mittels des SSL Certificate Automation Tool geklappt.
[Expand Komplettes Logfile]
#####################################
[19.06.2013 – 11:00:22,03]: Validating Lookup Service connection
Intializing registration provider…
Getting SSL certificates for https://server.domain.info:7444/lookupservice/sdk
Getting SSL certificates for https://server.domain.info:7444/sso-adminserver/sdk
Getting SSL certificates for https://server.domain.info:7444/ims/STSService?wsdl
Successfully created dummy service, we have sufficient privileges
Successfully deleted dummy service, we have sufficient privileges
The file C:\tool\backup\VC\ROOT_LS_SSL_CHAIN.crt already exists. Overwriting…
The file C:\tool\backup\VC\1_LS_SSL_CHAIN.crt already exists. Overwriting…
Certificates saved successfully
Return code is: Success
[19.06.2013 – 11:00:26,72]: Cleaning any temporary files
[19.06.2013 – 11:00:26,75]: Backing up the certificates and keys from „C:\ProgramData\VMware\VMware VirtualCenter\SSL…“
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
[19.06.2013 – 11:00:26,77]: Copying the new certificates and keys to „C:\ProgramData\VMware\VMware VirtualCenter\SSL…“
[19.06.2013 – 11:00:26,80]: Creating the PKCS certificate file…
Successfully reloaded vCenter SSL Certificates
[19.06.2013 – 11:00:31,98]: Encrypting the password with the certificates…
—— In-memory logs start ——–
mem> 2013-06-19T11:00:32.172+02:00 [04384 info ‚Hooks‘] Hooks Initialized
—— In-memory logs end ——–
2013-06-19T11:00:32.187+02:00 [04384 info ‚Default‘] Logging uses fast path: true
2013-06-19T11:00:32.187+02:00 [04384 info ‚Default‘] Handling bora/lib logs with VmaCore facilities
2013-06-19T11:00:32.187+02:00 [04384 info ‚Default‘] Initialized channel manager
2013-06-19T11:00:32.187+02:00 [04384 info ‚Default‘] Current working directory: C:\tool
2013-06-19T11:00:32.187+02:00 [04384 info ‚Default‘] ThreadPool windowsStackImmediateCommit = true
2013-06-19T11:00:32.187+02:00 [04384 info ‚ThreadPool‘] Thread enlisted
2013-06-19T11:00:32.187+02:00 [04384 info ‚Default‘] Log path: C:\ProgramData\VMware\VMware VirtualCenter\Logs
2013-06-19T11:00:32.187+02:00 [04384 info ‚Default‘] Initializing SSL
2013-06-19T11:00:33.248+02:00 [04384 info ‚Default‘] Vmacore::InitSSL: handshakeTimeoutUs = 120000000
2013-06-19T11:00:33.248+02:00 [06172 info ‚ThreadPool‘] Thread enlisted
2013-06-19T11:00:33.264+02:00 [04384 info ‚Default‘] Reset DB password succeeded.
[19.06.2013 – 11:00:33,26]: Setup complete. Restarting services…
[19.06.2013 – 11:00:33,27]: Restarting vCenter Server…
SERVICE_NAME: vctomcat
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x17
WAIT_HINT : 0x0
[19.06.2013 – 11:00:33,29]: Stopping vCenter Web Services…
[19.06.2013 – 11:00:33,31]: „“Cannot stop the vCenter Server Web Services: 1″“
STATE : 1 STOPPED
SERVICE_NAME: vpxd
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x124f80
[19.06.2013 – 11:00:38,19]: Stopping vCenter Server…
[19.06.2013 – 11:00:38,22]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:00:43,15]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:00:48,19]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:00:53,15]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:00:58,20]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:01:03,15]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:01:08,19]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:01:13,22]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:01:18,17]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:01:23,22]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:01:28,18]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:01:33,22]: „“Cannot stop vCenter Server: 1″“
[19.06.2013 – 11:01:38,17]: „“Cannot stop vCenter Server: 1″“
STATE : 1 STOPPED
SERVICE_NAME: vpxd
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x124f80
PID : 4616
FLAGS :
[19.06.2013 – 11:01:43,36]: Starting vCenter Server…
[19.06.2013 – 11:01:43,38]: „“Cannot start vCenter Server: 1″“
[19.06.2013 – 11:01:48,14]: „“Cannot start vCenter Server: 1″“
[19.06.2013 – 11:01:53,17]: „“Cannot start vCenter Server: 1″“
STATE : 4 RUNNING
SERVICE_NAME: vctomcat
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 6168
FLAGS :
[19.06.2013 – 11:01:58,24]: Restarting vSphere Profile-Driven Storage Service…
SERVICE_NAME: vimPBSM
TYPE : 10 WIN32_OWN_PROCESS
STATE : 3 STOP_PENDING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x3f
WAIT_HINT : 0x0
[19.06.2013 – 11:01:58,27]: „“Cannot stop vSphere Profile-Driven Storage Service: 1″“
STATE : 1 STOPPED
SERVICE_NAME: vimPBSM
TYPE : 10 WIN32_OWN_PROCESS
STATE : 2 START_PENDING
(NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x7d0
PID : 4644
FLAGS :
[19.06.2013 – 11:02:03,24]: vCenter certificates updated.
[/Expand]