[VMC on AWS] vCenter Cloud Gateway Appliance - Manually reset the MACHINE_SSL certificate
search cancel

[VMC on AWS] vCenter Cloud Gateway Appliance - Manually reset the MACHINE_SSL certificate

book

Article ID: 314155

calendar_today

Updated On:

Products

VMware Cloud on AWS VMware Cloud on Dell EMC

Issue/Introduction

This is a manual procedure to update the RHTTPPROXY certificate on the vCenter Cloud Gateway for Hybrid Linked Mode (HLM).

Symptoms:
The vCenter Cloud Gateway Appliance (VCGA) certificate has expired. Updating the certificate through the VCGA UI is not possible or is not preferred.

Cause

The VCGA certificate has expired.

Resolution

This is the manual process to reset the MACHINE_SSL certificate for the vCenter Cloud Gateway Appliance: 

Note: Ensure to take a powered off snapshot of the appliance before attempting below steps.
  1.  Extract the existing expired machine ssl certificate from the VECS store and save the copy to a file with name "old_cert.crt". 
    • /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /tmp/old_cert.crt 
  2. Obtain the SHA1 fingerprint of the old cert, this is used later in Step 8.
    • openssl x509 -in /tmp/old_cert.crt -fingerprint -noout
  3. Generate a public and private key pair for the new certificate and save them into files bearing names "priv.key" and "pub.key" respectively.
    • /usr/lib/vmware-vmca/bin/certool --genkey --privkey=priv.key --pubkey=pub.key
  4. It is necessary to determine the on-prem vCenter that the vCenter Cloud Gateway Appliance was registered to during deployment. The output will be used for step 6 and the variable <FQDN of on-prem VC>. This can be accomplished using the following command: 
    • /opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\vmafd\Parameters]' | grep \"DCName\" | awk '{print $4}'|tr -d '"'
  5. Modify the certool.cfg file to the requirements needed for the environment. Note: The Name and Hostname fields need to be the FQDN of the vCenter Cloud Gateway Appliance.
    • The certool.cfg file can be found here: /usr/lib/vmware-vmca/share/config/certool.cfg
  6. Generate the new certificate using the following command that will invoke certool. Pass the private key file path to the "--privkey" parameter and save the resulting certificate generated to a file with name "new_cert.crt".
    • /usr/lib/vmware-vmca/bin/certool --gencert --privkey=priv.key --cert=new_cert.crt  --config=/usr/lib/vmware-vmca/share/config/certool.cfg --server=<FQDN of onprem VC>
  7. Delete the existing machine ssl certificate from the VECS store.
    • /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT -y
  8. Import the new machine ssl certificate and the corresponding private key into the VECS store.
    • /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new_cert.crt --key priv.key
  9. Invoke lookupservice to update ssltrust of the service registration endpoints with the newly generated certificate. This step is documented in detail here, https://kb.vmware.com/s/article/2121701. This is executed from the VCGA and the customer will supply the credentials.
    • python /usr/lib/vmware-lookupsvc/tools/ls_update_certs.py --url https://<FQDN of onprem VC>/lookupservice/sdk --certfile new_cert.crt --user '<[email protected]>' --password '<password>' --fingerprint <sha1 hash of the old certificate to replace>


Workaround:
If the VCGA UI is available, the certificate can be updated following this process: Replace the Certificate for the Cloud Gateway Appliance with Hybrid Linked Mode enabled