VMware vSphere

I am working with a company on contract to automate a number of things in their VMWare environment. They recently (unbeknownst to me) updated their vCenter Certs for all environments, which caused the automation I'd written for building VMs to break. The error is on the customization specs, and states: "The public key in the specification does not match the vCenter Server public key. Click Continue to import without a password, then reenter the password in the Edit VM Customization Specification wizard."

In the past when I have encountered this, I click Continue, modify the admin password and save the spec. I am then able to export it (to change the vim.vm.customization.Password plaintext value in the xml to True) and then import it back in just fine. But this time around, every time I import the spec I get this error. I even deleted the spec altogether, recreated from scratch, exported, then imported back in, and get the error. Server builds will set all the parameters, but will not join the domain. I've not run into this ever before; s there something more I need to do with the changing of Certs that I have not yet done?

What happens if you create a net new customization spec with a different name and supply the same information. Does it succeed in that case?

I created net new but used the same name (as changing would cause a change to the automation script), and it failed. I will try using a new name.

Yes, I understand it would break your automation but the test is about re-use of encryption keys based upon the single input object being the name of the spec. So try a different name and re-test.

I did delete everything this morning, then recreated the problematic customization specs from scratch, with a different name. I exported, changed the password plaintext field, then imported back in. I no longer get the "public key" error on import. However, I still get the error "The vCenter Server is unable to decrypt passwords stored in the customization specification" when building a server. On exporting the customization spec again, the plaintext flag is flipped back to false each time.

As an addendum, I tried creating the customization specification from scratch in the build script. So instead of having a template spec, and creating a non-persistent spec from that template, I just created all new - something like this:

        New-OSCustomizationSpec -AdminPassword <local admin PW> `
                                -ChangeSid: $true `
                                -Description $newVM `
                                -Domain $sDomain `
                                -DomainCredentials $creds `
                                -FullName <DOMAIN> `
                                -GuiRunOnce <Run Once Command> `
                                -LicenseMaxConnections 5 `
                                -LicenseMode PerServer `
                                -Name $newVM `
                                -OrgName <DOMAIN> `
                                -OSType: Windows `
                                -Server $vCenter `
                                -TimeZone 035 `
                                -Type Persistent `
                                -ErrorAction Stop

This seems to work just fine, and I do not get any errors. Just do not understand why, even creating a new template spec, it seems not to like the encryption key.

Hmm.... iam aware of the problem and fix it a couple of times in the last 13 years but i struggle a few weeks ago also in the same way. I have 2 Custom Specs per Customer and only the "No AD Join" works after re enter the password.  After scratching head for 2 hours i took notice that a AD Join Specs contains two password. The first is for the local administrator and than later when you enable the AD join you have the specify an AD User with password also. I overlook the 2nd. one a couple of times. ( Iam not getting old!)

Regards,
Joerg

You are correct about the two passwords; in my case I need only set the one (local administrator). The automation script I have written takes the "template" customization spec and copies it to a non-persistent spec of the same name as the new server. Once this temp spec is created, there is a step where I apply the domain credentials and have it join the domain (see below). We do it this way because there is a parent domain, as well as any of 4 child domains, which the VM could be joined to.

Get-OSCustomizationSpec -Name $newVM -Server $vCenter | Set-OSCustomizationSpec -Domain $sDomain -DomainCredentials $creds -ErrorAction Stop

The credentials used, which are for a service account with appropriate permissions in all of the domains, has not changed. So it is confusing to me that it would not join the domain. It is acting as if the plaintext parameter is set to False, even though it is set to True.