Replace vSphere with Tanzu Supervisor Certificates
Article ID: 322994
Updated On:
Products
Issue/Introduction
vSphere with Tanzu supervisor certificates or spherelet certificates have expired or are about to expire.
You can use the following command while connected via SSH into either of the Supervisor Control Plane VMs.
# find / -type f \( -name "*.cert" -o -name "*.crt" \) -print 2>/dev/null | egrep -iv 'ca.crt$|ca-bundle.crt$|kubelet\/pods|var\/lib\/containerd|run\/containerd|backup' | xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'
SSH into Supervisor Control Plane VM Instructions: Troubleshooting vSphere with Tanzu (TKGS) Supervisor Control Plane VM's (90194)
Environment
Resolution
Install the wcp_cert_manager tool to vCenter
- Move the attached file titled wcp_cert_manager.zip to the vCenter Server (under /root/ ) where vSphere with Tanzu is deployed. (Use WinSCP from Windows OS's if required):
$ scp ./wcp_cert_manager.zip [email protected]:/root
Example Output:
The authenticity of host '192.168.111.135 (192.168.111.135)' can't be established.
ECDSA key fingerprint is SHA256:RkfHc8xvRJ8ihqMD1CTQeMXEPrYJ6yaNEOhwKpCbt3w.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.111.135' (ECDSA) to the list of known hosts.
VMware vCenter Server 7.0.#.#####
Type: vCenter Server with an embedded Platform Services Controller
Password:
wcp_cert_manager.zip 100% 8473KB 8.3MB/s 00:00
- Make sure you are under /root and unzip the file:
# pwd
/root
# unzip wcp_cert_manager.zip
Archive: wcp_cert_manager.zip
inflating: certmgr
# ls -l
total 30956
-rwxr-xr-x 1 root root 23019418 MM DD HH:MM certmgr
-rw-r--r-- 1 root root 8675846 MM DD HH:MM wcp_cert_manager.zip
Using the wcp_cert_manager tool
- From /root run './certmgr certificates rotate command' to rotate all supervisor control plane certificates and spherelet certificates. Below is an example of a successful cert rotation.
# ./certmgr certificates rotate
+------------------+------------------------------------------------------------------------------------------------------+-------+
| CONTROL PLANE IP | RESULT | ERROR |
+------------------+------------------------------------------------------------------------------------------------------+-------+
| 192.168.111.202 | +---------------------------------------------------------------------------------+----------------+ | |
| | | TASKS | OVERALL STATUS | | |
| | +---------------------------------------------------------------------------------+----------------+ | |
| | | +--------------------------------+------------------------------------+-------+ | ok | | |
| | | | TASK | RESULT | ERROR | | | | |
| | | +--------------------------------+------------------------------------+-------+ | | | |
| | | | backup certificates | /root/backups-16739895901776834456 | | | | | |
| | | | rotate etcd server certificate | | | | | | |
| | | | rotate api server etcd client | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate etcd peer certificate | | | | | | |
| | | | rotate etcd health check | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate api server certificate | | | | | | |
| | | | rotate kubelet client api | | | | | | |
| | | | server certificate | | | | | | |
| | | | rotate front proxy certificate | | | | | | |
| | | | rotate controller-manager | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate scheduler certificate | | | | | | |
| | | | rotate scheduler extension | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate kubelet certificate | | | | | | |
| | | | restart ncp | NCP restart skipped: VDS setup | | | | | |
| | | | | detected. | | | | | |
| | | | rotate auth proxy certificate | | | | | | |
| | | | rotate management certificate | | | | | | |
| | | | rotate registry certificate | | | | | | |
| | | | rotate kubeadm admin | | | | | | |
| | | | certificate | | | | | | |
| | | | verify etcd health | | | | | | |
| | | +--------------------------------+------------------------------------+-------+ | | | |
| | | | | | |
| | +---------------------------------------------------------------------------------+----------------+ | |
| | | |
| 192.168.111.203 | +---------------------------------------------------------------------------------+----------------+ | |
| | | TASKS | OVERALL STATUS | | |
| | +---------------------------------------------------------------------------------+----------------+ | |
| | | +--------------------------------+------------------------------------+-------+ | ok | | |
| | | | TASK | RESULT | ERROR | | | | |
| | | +--------------------------------+------------------------------------+-------+ | | | |
| | | | backup certificates | /root/backups-16739895893751688144 | | | | | |
| | | | rotate etcd server certificate | | | | | | |
| | | | rotate api server etcd client | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate etcd peer certificate | | | | | | |
| | | | rotate etcd health check | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate api server certificate | | | | | | |
| | | | rotate kubelet client api | | | | | | |
| | | | server certificate | | | | | | |
| | | | rotate front proxy certificate | | | | | | |
| | | | rotate controller-manager | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate scheduler certificate | | | | | | |
| | | | rotate scheduler extension | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate kubelet certificate | | | | | | |
| | | | restart ncp | NCP restart skipped: VDS setup | | | | | |
| | | | | detected. | | | | | |
| | | | rotate auth proxy certificate | | | | | | |
| | | | rotate management certificate | | | | | | |
| | | | rotate registry certificate | | | | | | |
| | | | rotate kubeadm admin | | | | | | |
| | | | certificate | | | | | | |
| | | | verify etcd health | | | | | | |
| | | +--------------------------------+------------------------------------+-------+ | | | |
| | | | | | |
| | +---------------------------------------------------------------------------------+----------------+ | |
| | | |
| 192.168.111.201 | +--------------------------------------------------------------------------------+----------------+ | |
| | | TASKS | OVERALL STATUS | | |
| | +--------------------------------------------------------------------------------+----------------+ | |
| | | +--------------------------------+-----------------------------------+-------+ | ok | | |
| | | | TASK | RESULT | ERROR | | | | |
| | | +--------------------------------+-----------------------------------+-------+ | | | |
| | | | backup certificates | /root/backups-1673989589793637456 | | | | | |
| | | | rotate etcd server certificate | | | | | | |
| | | | rotate api server etcd client | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate etcd peer certificate | | | | | | |
| | | | rotate etcd health check | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate api server certificate | | | | | | |
| | | | rotate kubelet client api | | | | | | |
| | | | server certificate | | | | | | |
| | | | rotate front proxy certificate | | | | | | |
| | | | rotate controller-manager | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate scheduler certificate | | | | | | |
| | | | rotate scheduler extension | | | | | | |
| | | | certificate | | | | | | |
| | | | rotate kubelet certificate | | | | | | |
| | | | restart ncp | NCP restart skipped: NCP | | | | | |
| | | | | restart only occurs on the | | | | | |
| | | | | leader. | | | | | |
| | | | rotate auth proxy certificate | | | | | | |
| | | | rotate management certificate | | | | | | |
| | | | rotate registry certificate | | | | | | |
| | | | rotate kubeadm admin | | | | | | |
| | | | certificate | | | | | | |
| | | | verify etcd health | | | | | | |
| | | +--------------------------------+-----------------------------------+-------+ | | | |
| | | | | | |
| | +--------------------------------------------------------------------------------+----------------+ | |
| | | |
+------------------+------------------------------------------------------------------------------------------------------+-------+
+-----------------------------------------------------+----------------+
| TASKS | OVERALL STATUS |
+-----------------------------------------------------+----------------+
| +--------------------------------+--------+-------+ | |
| | TASK | RESULT | ERROR | | |
| +--------------------------------+--------+-------+ | |
| | rotate spherelet certificates | | | | |
| | on 192.168.111.56 (host-##) | | | | |
| | rotate spherelet certificates | | | | |
| | on 192.168.111.69 (host-##) | | | | |
| | rotate spherelet certificates | | | | |
| | on 192.168.111.93 (host-##) | | | | |
| +--------------------------------+--------+-------+ | |
| | |
+-----------------------------------------------------+----------------+
If you have multiple vSphere with Tanzu deployments on your vCenter, then you need to use the -c command to specify the cluster you want to replace certificates on.
In order to gather the cluster id you can run
./certmgr supervisors
ie
root@###### [ ~ ]# ./certmgr supervisors
YYYY/MM/DD HH:MM:DD Cluster: domain-c#:########-####-####-####-#############
IP: 192.168.111.200
Password: ***********************************
In the above example the cluster id would be "domain-c#:########-####-####-####-#############"
An example of running the tool on a specific cluster would be.
# ./certmgr certificates rotate -c domain-c#:########-####-####-####-#############
All logs for this tool are logged under /var/log/vmware/certmgr.log
Additional Information
- Main vSphere with Tanzu Cert Page: vSphere with Tanzu Certificate Guide
- In case the 'certmgr' tool returns no output or fails with below error, please make sure you are running the command from /root/ of the vCenter Server.
"Error running supervisor cert manager: error while running CPVM cmd: Error running cmd on (xx.xx.xx.xx): /tmp/certmgr certificates list --json, error: Process exited with status 127"
Attachments
Feedback
