VMware vSphere

Hi,

a customer is gettng a altert that a certificate will expire soon.

During upgrade from 6.7 to 7.0 we renew all certificates and we executed the checksts.py script.

The STS has 2 certificates, the leaf expires in 2 years and the root in 8 years.

So we checked all certificate stores and identified this one: STS_INTERNAL_SSL_CERT

This certificate will expire in a few days.

Is this certificate still needed? Can i delete that certificate store? Because on a fresh installed VCSA 7.0 i havn't such a store.

Has someone here seen the same?

Kind regards
Stefan

Yes it is from the legacy SSO (port 7444), I am guessing your vCenter was upgraded all the way from 5.5 - It does not serve any purposes in 7.0. 

I would suggest you to just backup the cert and key just in case and delete the store with the cert. You can do all that by executing following

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/STS_INTERNAL.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/STS_INTERNAL.key

Finally delete the store using:

/usr/lib/vmware-vmafd/bin/vecs-cli store delete --name STS_INTERNAL_SSL_CERT

Hope that helps.

This sounds perfect, i expected something that kind, but wasn't shure if i can delete it.

Even the support can't. He want's to do some research...

We will test it next friday, i will write the result.

Thank you!

O.k. bad news, the store seems to be still in use, after deleting the store we made a reboot and the service vmware-stsd don't came up.

So i used this command to recreate the store:

/usr/lib/vmware-vmafd/bin/vecs-cli store create --name STS_INTERNAL_SSL_CERT

and then i followed this KB: https://kb.vmware.com/s/article/76144

usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/machine_ssl.key
/usr/lib/vmware-vmafd/bin/vecs-cli entry create --store STS_INTERNAL_SSL_CERT --alias __MACHINE_CERT --cert /var/tmp/machine_ssl.crt --key /var/tmp/machine_ssl.key

Now i have again a valid certificate, which do not expire in a few days, in the store and i was able to start the service.

I have collected a support bundle and send it to the support. This can't be correct...

That means there could be legacy sts endpoints exists in the service registrations that will need to be cleaned up so that the store is not being used. 

What is the SR number ? 

https://kb.vmware.com/s/article/80469       Run through this and get output for   python lsdoctor.py -l and  if there is old 5.5 registrations ; then use   python lsdoctor.py -s to fix old registrations .

Modify the below file :-
/usr/lib/vmware-sso/vmware-sts/conf/server.xml : Modify the 2 entries in the server.xml which has "STS_INTERNAL_SSL_CERT" to "MACHINE_SSL_CERT" .

And then delete the  STS_INTERNAL_SSL_CERT   store and restart services. 

Follow   https://virtual-power.in/f/21-stsd-crash-opening-store-stsinternalsslcert-failed

This sounds promising, we will test and report. 

The SR: 21212630304

Today i had a phonecall with the support and he told me to use the fixsts script to repair this, doesn't help...

Kind regards
Stefan

Problem solved, we need only to modify the file /usr/lib/vmware-sso/vmware-sts/conf/server.xml and replace the 2 entries.

Thank you!