vSphere 6.x SSL Trust Anchors

In vSphere 6.x all services and components have Service Registration details recorded in the VMware Directory Service of the Platform Services Controller.

Each Service Registration can contain one or more Endpoint entries.

Each Endpoint may contain an SSL Trust value.

The SSL Trust value must always match the current Machine SSL certificate of the PSC or VC or Embedded node it refers to.

If you use the Certificate-Manager from 6.0 U1b or later – the tool will take care of updating these entries. If you replace the Machine SSL manually or have used the tool before 6.0 U1b then you may encounter this issue.

ssltrust_explain1

You can also use Jxplorer to view the values

jxplorer

If your SSL Trust values do not match their respective Machine SSL certificate then you will see issues with other solutions in your vSphere 6.x environment. For details of the errors experienced please see the following KB https://kb.vmware.com/kb/2109074

To fix these SSL Trust values you must use the ls_update_certs.py script. There is a KB article on this process but it can be a bit daunting. https://kb.vmware.com/kb/2121689

Running ls_update_certs.py takes the following syntax and must be run on Platform Services Control or Embedded node.

Appliance:

python /usr/lib/vmidentity/tools/scripts/ls_update_certs.py --url http://localhost:7080/lookupservice/sdk --fingerprint <thumbprint_of_SSL_Trust> --certfile <Machine_SSL_CERT> --user administrator@vsphere.local --password p@s$w0rd

Windows:

"%VMWARE_PYTHON_BIN%" "C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts\"ls_update_certs.py --url http://localhost:7080/lookupservice/sdk --fingerprint <thumbprint_of_SSL_Trust> --certfile <Machine_SSL_CERT> --user administrator@vsphere.local --password p@s$w0rd

Note: If using http://localhost:7080/lookupservice/sdk doesn’t work, change to https://<actual_fqdn>/lookupservice/sdk

This script effectively queries VMDir and updates all Endpoints with a certificate matching <thumbprint_of_SSL_Trust> and replaced it with <Machine_SSL_CERT>

Compare the Machine SSL Certificate and SSL Trust Value

vCenter Server / PSC 6.x Appliance

Get the current Machine SSL Certificate <Machine_SSL_CERT>

 /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /tmp/machineSSL.crt

ssltrust_appliance1

Get the Node ID

 cat /etc/vmware/install-defaults/vmdir.ldu-guid

ssltrust_appliance2

List the ComponentManager ServiceRegistration for that Node ID and snip the output back to the FQDN and SSL Trust. Copy the SSL Trust value to the clip-board

 python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --type cs.componentmanager --node e8602247-e644-4b9d-ae07-9677c27da9cd 2> /dev/null | grep -B 1 "SSL trust"

ssltrust_appliance3

Prepare a new Certificate File

 echo "-----BEGIN CERTIFICATE-----" >> /tmp/sslTrust.crt ; echo "-----END CERTIFICATE-----" >> /tmp/sslTrust.crt

ssltrust_appliance4

Edit the file and paste the value of SSL Trust from the previous output

 vi /tmp/sslTrust.crt

ssltrust_appliance5

Get the Thumbprint of the Machine SSL Certificate

 openssl x509 -in /tmp/machineSSL.crt -fingerprint -noout

Get the Thumbprint of the SSL Trust value <thumbprint_of_SSL_Trust>

 openssl x509 -in /tmp/sslTrust.crt -fingerprint -noout

ssltrust_appliance6

If the two thumbprints match then you don’t have anything to do. If the two thumbprints differ then you need to run ls_update_certs.py passing in the Machine SSL certificate exported above and the SSL Trust Thumbprint exported above.

 

vCenter Server / PSC 6.x Windows

Get the current Machine SSL Certificate <Machine_SSL_CERT>

 "C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output C:\machineSSL.crt

ssltrust_windows1

Get the Node ID

 type C:\ProgramData\VMware\vCenterServer\cfg\install-defaults\vmdir.ldu-guid

ssltrust_windows2

List the ComponentManager ServiceRegistration for that Node ID. Copy the SSL Trust value to the clip-board.

 "%VMWARE_PYTHON_BIN%" "%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py" list --url http://localhost:7080/lookupservice/sdk --type cs.componentmanager --node 9b747a11-e7a9-11e6-a715-005056ae96ee 2>NUL

ssltrust_windows4

Prepare a new Certificate File

 echo -----BEGIN CERTIFICATE----- >> C:\sslTrust.crt & echo -----END CERTIFICATE----- >> C:\sslTrust.crt

ssltrust_windows5

Edit the file and paste the value of SSL Trust from the previous output and save the file.

notepad C:\sslTrust.crt

ssltrust_windows6

Get the Thumbprint of the SSL Trust value <thumbprint_of_SSL_Trust>

"%VMWARE_OPENSSL_BIN%" x509 -in C:\sslTrust.crt -fingerprint -noout 2>NUL

Get the Thumbprint of the Machine SSL Certificate

 "%VMWARE_OPENSSL_BIN%" x509 -in C:\machineSSL.crt -fingerprint -noout 2>NUL

ssltrust_windows7

If the two thumbprints match then you don’t have anything to do. If the two thumbprints differ then you need to run ls_update_certs.py passing in the Machine SSL certificate exported above and the SSL Trust Thumbprint exported above.

Advertisements