This is the manual process to reset the MACHINE_SSL certificate for the vCenter Cloud Gateway Appliance:
Note: Ensure to take a powered off snapshot of the appliance before attempting below steps.
- Extract the existing expired machine ssl certificate from the VECS store and save the copy to a file with name "old_cert.crt".
- /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /tmp/old_cert.crt
- Obtain the SHA1 fingerprint of the old cert, this is used later in Step 8.
- openssl x509 -in /tmp/old_cert.crt -fingerprint -noout
- Generate a public and private key pair for the new certificate and save them into files bearing names "priv.key" and "pub.key" respectively.
- /usr/lib/vmware-vmca/bin/certool --genkey --privkey=priv.key --pubkey=pub.key
- It is necessary to determine the on-prem vCenter that the vCenter Cloud Gateway Appliance was registered to during deployment. The output will be used for step 6 and the variable <FQDN of on-prem VC>. This can be accomplished using the following command:
- /opt/likewise/bin/lwregshell list_values '[HKEY_THIS_MACHINE\Services\vmafd\Parameters]' | grep \"DCName\" | awk '{print $4}'|tr -d '"'
- Modify the certool.cfg file to the requirements needed for the environment. Note: The Name and Hostname fields need to be the FQDN of the vCenter Cloud Gateway Appliance.
- The certool.cfg file can be found here: /usr/lib/vmware-vmca/share/config/certool.cfg
- Generate the new certificate using the following command that will invoke certool. Pass the private key file path to the "--privkey" parameter and save the resulting certificate generated to a file with name "new_cert.crt".
- /usr/lib/vmware-vmca/bin/certool --gencert --privkey=priv.key --cert=new_cert.crt --config=/usr/lib/vmware-vmca/share/config/certool.cfg --server=<FQDN of onprem VC>
- Delete the existing machine ssl certificate from the VECS store.
- /usr/lib/vmware-vmafd/bin/vecs-cli entry delete --store MACHINE_SSL_CERT --alias __MACHINE_CERT -y
- Import the new machine ssl certificate and the corresponding private key into the VECS store.
- /usr/lib/vmware-vmafd/bin/vecs-cli entry create --store MACHINE_SSL_CERT --alias __MACHINE_CERT --cert new_cert.crt --key priv.key
- Invoke lookupservice to update ssltrust of the service registration endpoints with the newly generated certificate. This step is documented in detail here, https://kb.vmware.com/s/article/2121701. This is executed from the VCGA and the customer will supply the credentials.
- python /usr/lib/vmware-lookupsvc/tools/ls_update_certs.py --url https://<FQDN of onprem VC>/lookupservice/sdk --certfile new_cert.crt --user '<[email protected]>' --password '<password>' --fingerprint <sha1 hash of the old certificate to replace>
Workaround:
If the VCGA UI is available, the certificate can be updated following this process:
Replace the Certificate for the Cloud Gateway Appliance with Hybrid Linked Mode enabled