How to fix vCenter UI Alarm: Certificate Status

-

If you are also wondering, why does the below alarm appear on your vCenter UI? You also have no expired certificate in vCenter UI Certificate Management.


Find the below steps to investigate further:

1.    SSH into you vCenter Appliance using root credentials

Run any of the below commands to find out all the certificates and their expiration dates:


vp="/usr/lib/vmware-vmafd/bin/vecs-cli";sp="openssl x509 -noout";for s in $($vp store list | grep -Ev "* CRLS");do echo "[ $s ]";$vp entry list --store $s | awk '/^Alias :/{alias=$(NF);printf "%s\n",alias;}' | while read ca;do print f "\t[ $ca ]\n";c=$($vp entry getcert --store $s --alias $ca);ct=$(echo "$c" | $sp -text);fp=$(echo "$c" | $sp -fingerprint);ec ho "$ct"|awk -v fp="$fp" '/Before/{gsub(/^[ \t]+/,"",$0); split($0,b,":");}/After/{gsub(/^[ \t]+/,"",$0); split($0,af,":");}/Is suer:/{gsub(/^[ \t]+/,"",$0); split($0,i,":");}/Subject:/{gsub(/^[ \t]+/,"",$0); split($0,s,":");}/X.B.nts/{if($0!=""){gsub(/ ^[ \t]+/,"",$0);xc=$0;getline;gsub(/^[ 1.    \t]+/,"",$0);xc1=$0;}}/X.K.ge/{if($0!=""){gsub(/^[ \t]+/,"",$0);xu=$0;getline;gsub(/^[ \t]+/,"",$0);xu1=$0;}}/X.Sub.er:/{if($0!=""){gsub(/^[ \t]+/,"",$0);xki=$0;getline;gsub(/^[ \t]+/,"",$0);xki1=$0;}}/X.Sub.e r/{if($0!=""){gsub(/^[ \t]+/,"",$0);xan=$0;getline;gsub(/^[ \t]+/,"",$0);xan1=$0;}}END{gsub(/^[ \t]+/,"",i[2]);gsub(/^[ \t]+/," ",s[2]);gsub(/^[ \t]+/,"",b[2]);if(b[1]!=""){ split(fp,a,"=");printf"\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%- 50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\t\t%-50s%s\n\n\n",i[1]":",i[2],s[1]":",s[2],b[1]":",b[2]":"b[3]":"b[4],af[1]":", af[2]":"af[3]":"af[4],a[1]":",a[2],xki,xki1,xan,xan1,xu,xu1,xc,xc1}}'| sed 's/ :/:/;s/critical/ /';done;done;

OR

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/v mware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

3. Below you can see this highlighted old and expired CSR named MACHINE_CSR in the MACHINE_SSL_CERT store is the cause of the alarm


4. Now, Delete the expired entity using the below command

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CSR

5. Re-run the command from Step 2, to check if the expired certificate is deleted

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;


6. In the final step, reset the alarm to green.



Comments

Post a Comment

Popular posts from this blog

All shared datastores failed on the host

-
  Sometimes post creating a new cluster or after re-configuring the existing cluster you might get an error on ESXi “All shared datastores failed on the host”  this can happen to you very often if you are running on HPE StoreVirtual VSA. Please follow the below steps to fix this error: 1.     At the very onset, Reconfigure the HA for the cluster. Disable and re-enable HA on Cluster Level or Right Click Host and select Reconfigure for vSphere HA. 2.     If the error still persists, then follow the next steps. 3.     Make sure you migrate all the VMs manually on the other host if the DRS is disabled on the cluster. 4.     If you have any VM running on ESXi local Datastore like HPE StoreVirtual Appliance (VSA) or Backup Proxy VM, ensure to gracefully shut them down. (For How to shutdown HPE VSA gracefully follow this KB ) 5.     Now, put the host in Maintenance Mode. 6.     Right Click Host and Remove from Inventory 7.     After the host is removed, Right Click on the cluster and click A
Read more

How to Downgrade a VIB/Driver in ESXi 7

-
Image
  There are two methods to downgrade a VIB or a device driver in ESXi Host. 1.     Uninstall the current or upgraded driver > reboot the host > Install the downgrade driver OR 2.     You may also install the downgrade driver directly using esxcli software vib install command. This will remove the upgraded driver itself. Let's see how to perform downgrades of vib using both methods. You may decide which one you would like to choose. You may also install drivers using Baselines in Lifecycle Manager, which will be covered in later posts. Method 1 : Uninstall the current or upgraded driver > reboot the host > Install the downgrade driver Put the ESXi host in Maintenance Mode. SSH the ESXi host Run this command to uninstall the driver: " esxcli software vib remove -n <vib_name> " Reboot the host Run this command to install the driver: " esxcli software vib install -d /vmfs/volume/datastore/vib.zip "   Reboot the host Run this command to
Read more

Error: "Datastore "XXX" conflicts with an existing datastore"

-
Image
  PROBLEM Recently I tried to upgrade one of my ESXi hosts from version 6.7 to 7.0 using VMware Lifecycle Manager. The upgrade gets stuck at 47%. However, when I take the remote console using iLO, I see the ESXi is already upgraded. The LCM Events and logs show that vCenter is not able to connect to the host.  I tried to connect the Host manually and got the below error: Datastore "XXX" conflicts with an existing datastore in the datacenter that has the same URL "UUID", but it is backed by different physical storage. RESOLUTION 1.     Check if the all the vmhba are visible: Run this command to see all vmhba - esxcfg-scsidevs -a or esxcli storage core adapter list 2.     Check if the vmhba drivers are compatible. In my case smartpqi driver had to be upgraded to latest version. (Microchip-smartpqi_70.4054.2.118-1OEM.700.1.0.15843807_17871815) 3.     Check if the datastore is accessible and visble from ESXi UI or ESXCLI. 4.     Remove the host from
Read more