Fixsts.sh Script Download

[Maricel Fergason]

Forsteps on regenerating and replacing STS certificate in VMware vCenter Server 6.5.x and 6.7.x installed on Windows using a PowerShell script, see "Signing certificate is not valid" error in vCenter Server 6.5.x and 6.7.x on Windows.

For more information on STS certificates, see Security Token Service STS

Since currently there is no alert on vCenter for this certificate, and also it is a certificate that prior to 6.7u3g had no way to be replaced by customers in case of expiration (required GSS involvement to execute internal procedures / scripts) and it generates a production down scenario, silently.

However, if this was done reactively, then it is likely that you will need to replace more certificates in your vCenter Server, especially if you were using VMCA certs (which could have the same expiration date as the STS certificate if they were never replaced)

Please, use this information to proactively check for the STS certificate, as well as replacing without having to get into a production down scenario. You can share this with customers, partners, or whoever you feel might be benefited from this information!

Or, put another way, why are VMW customers still subjected to the same sort of headaches that have existed since we all had to run vCenter on Windows? Woe betide you if you let certificates expire back then.

The Checksts.py does not work on vcsa/psc 6.0 u3 appliance. The python script utilizes GetAffinitizedDC(domain_name, force_refresh) of vmafd.client. On vcsa 6.0 u3, vmafd.client does not have a method called GetAffinitizedDC.

In my case, it was root lacking permission to access a fuse-based mount or mounted fs is set to noexec.. It really does boil down to whoever the script is run under lacking the necessary permissions to access or run the script.

In the past year I have experienced two incidents in which important applications were no longer available. In both cases the cause turned out to be an expired internal certificate. Although these incidents can be solved using KB articles, the lesson is to check these critical components at least once a year. With the start of a new year, this is a good time to pay attention to this topic. First vRealize Operations Manager (vROPS).

Another product that comes with internal certificates is vCenter Server. After expiration of the STS certificate, you cannot login to vCenter Server anymore. In some cases (see KB below for more details), the STS certificate has a lifetime of only 2 years!

VMware KB Checking Expiration of STS Certificate on vCenter Server (79248) is there to help you to identify the expiration date. Attached to the KB, you will find a Python script named checksts.py. Follow the instructions and run the script. In my case (recent vCSA 7.x), no actions are needed.

The second line of the output (starting with /dev/sda3) shows the status of the root partition. If the value under Use% reaches 100%, you are in trouble. Also notice that the root partition is only 11 GB.

Second step is to determine the root cause of the full partition. A good strategy is to look for large consumers. The next command searches for files larger then 100 MB, only on the root partition:

In part 1 and part 2 of this series about the vCSA, we have covered topics like; the shells, filesystem, services, health, logging, database and some extra tools. Recently I realised there a few more topics worth mentioning.

In pre 6.0 releases of the vCSA, there was a vCenter Server Appliance Management Interface, better known as the VAMI. This management interface is written in HTML5 and is now called the e Appliance Management User Interface (Appliance MUI).

The vCenter Server Appliance is the new vCenter Server. In the old days, we had a brand new Windows Server on which the vCenter Server was installed. The necessary database server was quite often an external MS SQL database and sometimes an internal database. In the those days, tweaking the Windows Server and the installed components was more or less a common practice, due to the familiarity with Windows.

For me it was already a common practice to disable IPv6 on ESXi hosts, but until recently I did not realize that vCenter Server can also benefit from it. For vCenter Server on Windows, you reconfigure the Windows network configuration. But how do you disable IPv6 on the vCSA?

The appliance shell can be used for updating the vCSA, using the software-packages command and has some other use cases. From here you can enable the BASH shell as shown in the Fig 1. for the duration of your session with the following commands:

In general, during contact with a Customer Support team, whether being a Hardware vendor (Servers, Storage) or a Software vendor, the likelihood that you will be asked to upload some log files for further investigation is significantly.

Under certain conditions, a vCSA might contain core dump files. When requested to create a support bundle these core dump files will be added to the support bundle, together with the log files. The issue that may arise is that the location where the support bundle will be created (partition /storage/log) has a fixed size and possibly is too small.

This post is the third part in a series about Check_MK and vSphere. In the second part, I showed you the options for monitoring an ESXi host without using vCenter Server. In this post we will explore the options for monitoring a vCenter Server on Windows and also the vCenter Server Appliance (VCSA).

QUESTION: Given the above, would it be ok to implement the instructions of document -vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-CD4FA8E2-5BD1-4D1E-8647-945B1D8CA918.html ??

Great news: I resolved it with ==> VMware provides a fixsts.sh script that can be used proactively (i.e., before STS certificate expires) OR reactively (i.e. after the certificate expires and the vCenter UI fails along with other components).

@Arnold: although I used VMware's fixsts.sh script, I first examined its contents and realized it does the same thing as the actions in your link. Hence, I have marked your link as the solution. Thanks again, sir.

So I am going to replace it. First of all, take an offline snapshot concurrently for all vCenter Servers and Platform Service Controllers in the SSO domain before running the script. Failing to do so may result in an unrecoverable error and will require redeploying your vCenter Servers.

When the VCenter Certificate is expired , you will be blocked from logging in to the VCenter . However , the Appliance Management will continue to work. Be noted that there a 2 categories of certificates.

In my situation , both of the certificate types were expired and I had to replace all of them. To replace the STS certifcate , you could utilize a script provided by VMWare (fixsts.sh) using the KB :

Bash (Bourne Again Shell) is a command-line program that accepts commands provided and executes them. It takes Linux commands directly typed into it interactively from a keyboard or from a shell script file.

Bash is used in Linux and Mac systems to run the system and it is the default shell in a majority of modern Linux distributions such as Ubuntu, Debian, Fedora, Rocky Linux, and AlmaLinux to mention a few.

If you insist on having a file name with parenthesis, the solution is to prefix each of the parentheses brackets with a backslash. This is popularly known as escaping the parenthesis and takes the following format: \( and\). The backslash character comes right before each parenthesis.

You could, in this way, even address a filename (or, for that matter, any arbitrary string) that has both single and double quotes in it; just enclose the single quotes in double quotes and vice versa, and you will be fine.

Thank you for taking the time to share your thoughts with us. We appreciate your decision to leave a comment and value your contribution to the discussion. It's important to note that we moderate all comments in accordance with our comment policy to ensure a respectful and constructive conversation.

Buenas chic@s! Hoy vengo con unos nuevo post sobre como resolver un problema con el certificado de Machine SSL Certificate. Este certificado te puede dar mucho dolor de cabeza, como que no te funcione el servicio de vCenter, o que en el navegador te de errores de certificado. Si tienes algn problema con este certificado o los sntomas que hemos comentado, quiz este post te pueda servir de ayuda.

En este caso, yo no me di cuenta que me haba caducado el certificado, ya que todas los despliegues que he hecho de los vCenter, todos ellos tenan unos certificados de larga duracin. Por lo tanto me sorprendi bastante cuando me encontr con errores de certificado en el propio navegador, cuando ya tenia metida la CA del vCenter dentro las entidades de raz de confianza de mi equipo.

Si no vamos a comprobar los servicios de vCenter, podremos ver entre otros como el servicio principal del vCenter no ha arrancado vmware-vpxd, por lo tanto podemos confirmar que estbamos en un buen problema.

Si lanzamos la siguiente sintaxis de comando que tenemos abajo, nos devolver la caducidad de todos los certificados. En mi caso por suerte solo tengo un certificado caducado, con lo cual simplifica bastante las cosas, luego abordaremos el porque simplifica.

Lo primero que tenemos que hacer, es descargar el script fixsts.sh, que lo podris descarga desde aqui. Una vez lo hayamos descargado lo tendremos que subir a nuestro vCenter, y asignarle permisos de ejecucin con el comando chmod.

Por ultimo me gustara comentar que si tienes problemas con el resto de certificados, te recomiendo que le eches un vistazo al siguiente KB de VMware. El proceso tambien es bastante sencillo, e intuitivo.

Espero que os haya gustado y os sirva para solucionar vuestros problemas, siempre que sale el tema de los certificados creo que todos nos echamos las manos a la cabeza, pero en este caso la solucin ha sido sencilla. Un saludo y hasta la proxima.

3a8082e126