[VMC on AWS] vCenter Cloud Gateway Appliance - script reset the MACHINE_SSL certificate
search cancel

[VMC on AWS] vCenter Cloud Gateway Appliance - script reset the MACHINE_SSL certificate

book

Article ID: 329529

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

This script is the automated version Refer to :[VMC on AWS] vCenter Cloud Gateway Appliance - Manually reset the MACHINE_SSL certificate

 

The script will:

  • This will replace the existing MACHINE_SSL certificate for the vCenter Cloud Gateway Appliance.
  • This knowledge base article will update the lookup service of the on-premises vCenter with the updated vCenter Cloud Gateway Appliance certificate.
  • It provides a validation check to ensure that the lookup service (service registration endpoint) has been updated with the newly generated certificate. 



Symptoms:

The vCenter Cloud Gateway Appliance (VCGA) certificate has expired. 

 

Cause

The VCGA certificate has expired. 

Resolution

Perform below steps on the vCenter Cloud Gateway Appliance to resolve this issue :

1) Download the attached script (cert.sh) and upload to the affected vCenter Cloud Gateway Appliance or copy to an empty file called cert.sh using vi

2) Run chmod +x cert.sh to enable execute permissions

3) Take note of the administrator@your_domain password

4) Run the script (./cert.sh), please note that the script prints the new expiry date 

Example: Successful output of the script:

Old machine_ssl thumbprint: 58:E3:20:70:FF:08:2B:D7:AD:35:9A:BE:D8:1C:78:09:3A:08:84:2E The expiry date is Aug 14 21:23:37 2023 GMT
Status : Success
Using config file : /storage/core/FQDN_cloudgateway-20230815095628/certool.cfg
Status : Success
New machine_ssl thumbprint: 50:C2:15:F5:4E:85:4E:8F:3A:79:76:D8:29:6A:70:D6:FB:88:A5:48  The expiry date is Aug 14 09:46:34 2025 GMT
Deleted entry with alias [__MACHINE_CERT] in store [MACHINE_SSL_CERT] successfully
 Entry with alias [__MACHINE_CERT] in store [MACHINE_SSL_CERT] was created successfully
Successfully restarted service rhttpproxy
Get site name
Lookup all services
[..]
Please note:For a successful replacement in the lookup service, the following thumbprints need to match .
FQDN_cloudgateway:443
Machine                          50:C2:15:F5:4E:85:4E:8F:3A:79:76:D8:29:6A:70:D6:FB:88:A5:48
Lotus                            50:C2:15:F5:4E:85:4E:8F:3A:79:76:D8:29:6A:70:D6:FB:88:A5:48
 

Additional Information

  • For this script to function properly, it relies on functional system variables. If these variables are not operational the script will not work and this will need to be investigated 
  • Each time the script is executed it creates a new folder within /var/core the folder name is based on the hostname and time. This will contain the outputs of the script which include the old certificate and the new certificate. 

 

Note: You may receive an error when you try to run the script:

bash: ./cert.sh: /bin/bash^M: bad interpreter: No such file or directory

This error is caused by DOS carriage returns added to the script when copying from a Windows-based text editor. To resolve this problem, run the following command and rerun the script:

 

sed -i -e 's/\r$//' cert.sh


Impact/Risks:

The script will replace the machine SSL certificate for the vCenter Cloud Gateway Appliance and update the service registration endpoint. Please make sure to power off and take a snapshot of the appliances before executing the script.

Attachments