This article provides steps on regenerating and replacing expired Security Token Service (STS) certificate in VCSA 6.5.x, 6.7.x , 7.0.x and vCenter Server 8.0.x using a shell script.
For steps on regenerating and replacing STS certificate in VMware vCenter Server 6.5.x and 6.7.x installed on Windows using a PowerShell script, see "Signing certificate is not valid" error in vCenter Server 6.5.x and 6.7.x on Windows.
For more information on STS certificates, see Security Token Service STS
In an environment with a vCenter Server Appliance (VCSA) 6.5.x, 6.7.x or vCenter Server 7.0.x, 8.0.x these symptoms may appear:
HTTP Status 400 – Bad Request Message BadRequest, Signing certificate is not valid
ERROR com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor opId=] Server rejected the provided time range. Cause:ns0:InvalidTimeRange: The token authority rejected an issue request for TimePeriod [startTime=Date MM DD:TT:SS EST YYYY, endTime=Date MM DD:TT:SS EST YYYY] :: Signing certificate is not valid at Date MM DD:TT:SS EST YYYY, cert validity: TimePeriod [startTime=Date MM DD:TT:SS EST YYYY, endTime=Date MM DD:TT:SS EST YYYY]
Cannot connect to vCenter Single Sign-On server https://VC_FQDN/sts/STSService/vsphere.local
Cannot connect to vCenter Single Sign-On server https://VC_FQDN:7444/sts/STSService/vsphere.local
[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server
[YYYY-MM-DDTHH:MM:SS] info vpxd[12853] [Originator@6876 sub=vpxCryptopID=SWI-7203af8f] Failed to read X509 cert; err: 151441516
[YYYY-MM-DDTHH:MM:SS] [INFO ] http-nio-5090-exec-1022 70179544 103561 ###### com.vmware.vise.security.spring.DefaultAuthenticationProvider Session initialization complete for sessionId 103561, clientId 200264
[YYYY-MM-DDTHH:MM:SS] [INFO ] http-nio-5090-exec-1022 com.vmware.vapi.security.AuthenticationFilter Authentication failed com.vmware.vapi.std.errors.Unauthenticated: Unauthenticated (com.vmware.vapi.std.errors.unauthenticated) => {
at com.vmware.cis.data.service.session.SessionAuthenticationHandler.authenticate(SessionAuthenticationHandler.java:36)
at com.vmware.vapi.security.AuthenticationFilter.invoke(AuthenticationFilter.java:233)
These issues occur when the Security Token Service (STS) certificate has expired. This causes internal services and solution users to not be able to acquire valid tokens and as a result fails to function as expected.
Note: When the STS certificate expires, it does so without warning. On some systems, this expiry may occur as soon as two years from the initial deployment.
The following scenarios can cause STS signing certificate to expire at 2 years:
To resolve the Signing certificate is not valid error:
# chsh -s /bin/bash
root
# cd /tmp
# chmod +x fixsts.sh
# ./fixsts.sh
# service-control --stop --all && service-control --start --all
Notes:
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
If Machine SSL or VMCA Root certificates has been replaced, then it will need to re-register 2nd party solutions such as NSX, SRM, and vSphere Replication.
The script will ask for the SSO administrator password and then proceed to regenerate and replace STS certificate.
For example
NOTE: This works on external and embedded PSCs
This script will do the following
1: Regenerate STS certificate
What is needed?
1: Offline snapshots of VCs/PSCs
2: SSO Admin Password
IMPORTANT: This script should only be run on a single PSC per SSO domain
==================================
Resetting STS certificate for <vc_fqdn> started on [YYYY-MM-DDTHH:MM:SS]
Detected DN: cn= <vc_fqdn>,ou=Domain Controllers,dc=vsphere,dc=local
Detected PNID: <vc_fqdn>
Detected PSC: <vc_fqdn>
Detected SSO domain name: vsphere.local
Detected Machine ID: <machineID>
Detected IP Address: <vc IP Address>
Domain CN: dc=vsphere,dc=local
==================================
==================================Detected Root's certificate expiration date: 2030 May 16
Detected today's date: YYYY MMM DD
==================================Exporting and generating STS certificateStatus : Success
Using config file : /tmp/vmware-fixsts/certool.cfg
Status : SuccessEnter password for [email protected]:
Amount of tenant credentials: 1
Exporting tenant and trustedcertchain 1 to /tmp/vmware-fixstsDeleting tenant and trustedcertchain 1Applying newly generated STS certificate to SSO domain
adding new entry "cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local"adding new entry "cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local"Replacement finished - Please restart services on all vCenters and PSCs in your SSO domain
==================================
IMPORTANT: In case you're using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure
==================================
==================================
Note: If receive the following error when trying to run the script:
bash: ./fixsts.sh: /bin/bash^M: bad interpreter: No such file or directory
This error is caused by DOS carriage returns added to the script when copying from a Windows-based text editor. To resolve this problem, run this command and rerun the script:
# sed -i -e 's/\r$//' fixsts.sh
Notes: