[VMC on AWS] vCenter Cloud Gateway Appliance - Manually reset the MACHINE_SSL certificate
searchcancel
[VMC on AWS] vCenter Cloud Gateway Appliance - Manually reset the MACHINE_SSL certificate
book
Article ID: 314155
calendar_today
Updated On: 11-07-2023
Products
VMware Cloud on AWSVMware Cloud on Dell EMC
Issue/Introduction
This is a manual procedure to update the RHTTPPROXY certificate on the vCenter Cloud Gateway for Hybrid Linked Mode (HLM).
Symptoms: The vCenter Cloud Gateway Appliance (VCGA) certificate has expired. Updating the certificate through the VCGA UI is not possible or is not preferred.
Cause
The VCGA certificate has expired.
Resolution
This is the manual process to reset the MACHINE_SSL certificate for the vCenter Cloud Gateway Appliance:
Note: Ensure to take a powered off snapshot of the appliance before attempting below steps.
Extract the existing expired machine ssl certificate from the VECS store and save the copy to a file with name "old_cert.crt".
It is necessary to determine the on-prem vCenter that the vCenter Cloud Gateway Appliance was registered to during deployment. The output will be used for step 6 and the variable <FQDN of on-prem VC>. This can be accomplished using the following command:
Modify the certool.cfg file to the requirements needed for the environment. Note: The Name and Hostname fields need to be the FQDN of the vCenter Cloud Gateway Appliance.
The certool.cfg file can be found here: /usr/lib/vmware-vmca/share/config/certool.cfg
Generate the new certificate using the following command that will invoke certool. Pass the private key file path to the "--privkey" parameter and save the resulting certificate generated to a file with name "new_cert.crt".
/usr/lib/vmware-vmca/bin/certool --gencert --privkey=priv.key --cert=new_cert.crt --config=/usr/lib/vmware-vmca/share/config/certool.cfg --server=<FQDN of onprem VC>
Delete the existing machine ssl certificate from the VECS store.
Invoke lookupservice to update ssltrust of the service registration endpoints with the newly generated certificate. This step is documented in detail here, https://kb.vmware.com/s/article/2121701. This is executed from the VCGA and the customer will supply the credentials.
python /usr/lib/vmware-lookupsvc/tools/ls_update_certs.py --url https://<FQDN of onprem VC>/lookupservice/sdk --certfile new_cert.crt --user '<administrator@vsphere.local>' --password '<password>' --fingerprint <sha1 hash of the old certificate to replace>