How to fix vCenter UI Alarm: Certificate Status
If you are also wondering, why does the below alarm appear on your vCenter UI? You also have no expired certificate in vCenter UI Certificate Management.
Find
the below steps to investigate further:
1. SSH into you vCenter Appliance using root
credentials
Run any of the below commands to find out all the certificates and their expiration dates:
vp="/usr/lib/vmware-vmafd/bin/vecs-cli";sp="openssl x509
-noout";for s in $($vp store list | grep -Ev "* CRLS");do echo
"[ $s ]";$vp entry list --store $s | awk '/^Alias
:/{alias=$(NF);printf "%s\n",alias;}' | while read ca;do print f
"\t[ $ca ]\n";c=$($vp entry getcert --store $s --alias $ca);ct=$(echo
"$c" | $sp -text);fp=$(echo "$c" | $sp -fingerprint);ec ho
"$ct"|awk -v fp="$fp" '/Before/{gsub(/^[ \t]+/,"",$0);
split($0,b,":");}/After/{gsub(/^[ \t]+/,"",$0); split($0,af,":");}/Is
suer:/{gsub(/^[ \t]+/,"",$0);
split($0,i,":");}/Subject:/{gsub(/^[ \t]+/,"",$0);
split($0,s,":");}/X.B.nts/{if($0!=""){gsub(/ ^[
\t]+/,"",$0);xc=$0;getline;gsub(/^[ 1. \t]+/,"",$0);xc1=$0;}}/X.K.ge/{if($0!=""){gsub(/^[
\t]+/,"",$0);xu=$0;getline;gsub(/^[
\t]+/,"",$0);xu1=$0;}}/X.Sub.er:/{if($0!=""){gsub(/^[
\t]+/,"",$0);xki=$0;getline;gsub(/^[
\t]+/,"",$0);xki1=$0;}}/X.Sub.e r/{if($0!=""){gsub(/^[
\t]+/,"",$0);xan=$0;getline;gsub(/^[ \t]+/,"",$0);xan1=$0;}}END{gsub(/^[
\t]+/,"",i[2]);gsub(/^[ \t]+/," ",s[2]);gsub(/^[
\t]+/,"",b[2]);if(b[1]!=""){
split(fp,a,"=");printf"\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-
50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\n\n",i[1]":",i[2],s[1]":",s[2],b[1]":",b[2]":"b[3]":"b[4],af[1]":",
af[2]":"af[3]":"af[4],a[1]":",a[2],xki,xki1,xan,xan1,xu,xu1,xc,xc1}}'|
sed 's/ :/:/;s/critical/ /';done;done;
OR
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list |
grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/v
mware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie
"Alias" -ie "Not After";done;
3. Below you can see this highlighted old and expired CSR named MACHINE_CSR
in the MACHINE_SSL_CERT store is the cause of the alarm
4.
Now, Delete the expired entity using the below command
/usr/lib/vmware-vmafd/bin/vecs-cli
entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CSR
5.
Re-run the command from Step 2, to check if the expired certificate is deleted
for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v
TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store;
/usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie
"Alias" -ie "Not After";done;
6.
In the final step, reset the alarm to green.
Comments
Post a Comment