VMware vSphere

 View Only

  • 1.  STS certificate expiration

    Posted Nov 12, 2024 10:04 AM
    Edited by flipflip Nov 12, 2024 10:04 AM

    Hello,

    I currently have an old version of vSphere 5.5 (yes, it's old ;) ) that is in the process of being migrated to the latest version.

    The problem is that since this morning, I haven't been able to connect with the vSphere client or the web client. It seems to be an issue with the STS certificate, which has expired. After a lot of research and a few attempts, I haven't been able to get the vSphere server working again, and all the documentation I found is for version 6.x :( Do you have any suggestions to at least get it working until the end of the year?

    The error is the same as on this page : https://knowledge.broadcom.com/external/article?legacyId=76719

    ERROR com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor opId=] Server rejected the provided time range. Cause:ns0:InvalidTimeRange: The token authority rejected an issue request for TimePeriod [startTime=Date MM DD:TT:SS EST YYYY, endTime=Date MM DD:TT:SS EST YYYY] :: Signing certificate is not valid at Date MM DD:TT:SS EST YYYY, cert validity: TimePeriod [startTime=Date MM DD:TT:SS EST YYYY, endTime=Date MM DD:TT:SS EST YYYY]

    Thank you in advance.



  • 2.  RE: STS certificate expiration

    Broadcom Employee
    Posted Nov 14, 2024 10:54 AM

    Hello Flip,

    Not sure if its a windows vCenter or Appliance

    Windows:
    Stop the STS Service by running the command:

    net stop VMwareSTS
     
    Navigate to default vmware-sso directory

    cd c:\ProgramData\VMware\CIS\cfg\vmware-sso
     
    Run this command to re-install the STS with the default STS certificate:

    "c:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components\bin\java.exe" -cp "c:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\*;c:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso\lib\*;.;*" com.vmware.identity.installer.STSInstaller --install --root-cert-path ssoserverRoot.crt --cert-path ssoserverSign.crt --private-key-path ssoserverSign.key --retry-count 2 --retry-interval 30
     
    Start the STS Service by running this command:

    net start VMwareSTS

    Appliance: 

    export JAVA_BIN=/usr/java/jre-vmware/bin/java
    export CLASSPATH=/opt/vmware/lib64/*:/usr/lib/vmware-sso/commonlib/*
    export _SSO_ROOT_CERT_X509=/etc/vmware-sso/keys/ssoserverRoot.crt
    export _SSO_SIGNING_LEAF_CERT_X509=/etc/vmware-sso/keys/ssoserverSign.crt
    export _SSO_SIGNING_LEAF_CERT_KEY=/etc/vmware-sso/keys/ssoserverSign.key
    $JAVA_BIN -cp $CLASSPATH com.vmware.identity.installer.STSInstaller --install --root-cert-path "$_SSO_ROOT_CERT_X509" --cert-path "$_SSO_SIGNING_LEAF_CERT_X509" --private-key-path "$_SSO_SIGNING_LEAF_CERT_KEY"


    Original Message


  • 3.  RE: STS certificate expiration

    Posted Nov 14, 2024 11:14 AM
    Edited by flipflip Nov 14, 2024 11:35 AM

    Thank you for your response.

     

    It is an appliance on Linux Suse.

    I just tested the appliance part :

    And even after a reboot, I get the same error.

    Now, when I try to connect to https://<IP>:5480, I get the following error (my password is correct):


    Original Message


  • 4.  RE: STS certificate expiration

    Posted Nov 15, 2024 06:53 AM
    Edited by flipflip Nov 15, 2024 06:53 AM

    Hello everyone,

    I managed to generate valid certificates thanks to this documentation : Regenerating Self-Signed SSL Certificates in VMware vCenter Server appliance 5.1 or 5.5 . Unfortunately, after rebooting the vSphere server, I still get the error message:

    Cannot authentificat user

    Return code is: InvalidCredentials

    And the vSphere server part still does not start.


    Original Message