VMware vSphere

 View Only
  • 1.  STS certificate expiration

    Posted Nov 12, 2024 10:04 AM

    Hello,

    I currently have an old version of vSphere 5.5 (yes, it's old ;) ) that is in the process of being migrated to the latest version.

    The problem is that since this morning, I haven't been able to connect with the vSphere client or the web client. It seems to be an issue with the STS certificate, which has expired. After a lot of research and a few attempts, I haven't been able to get the vSphere server working again, and all the documentation I found is for version 6.x :( Do you have any suggestions to at least get it working until the end of the year?

    The error is the same as on this page :

    ERROR com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor opId=] Server rejected the provided time range. Cause:ns0:InvalidTimeRange: The token authority rejected an issue request for TimePeriod [startTime=Date MM DD:TT:SS EST YYYY, endTime=Date MM DD:TT:SS EST YYYY] :: Signing certificate is not valid at Date MM DD:TT:SS EST YYYY, cert validity: TimePeriod [startTime=Date MM DD:TT:SS EST YYYY, endTime=Date MM DD:TT:SS EST YYYY]

    Thank you in advance.



  • 2.  RE: STS certificate expiration

    Posted Nov 13, 2024 11:35 AM

    Old is an understatement here lol. Are you able to ssh into the appliance using something like root? It looks like you can create a file to allow regeneration and reboot it. I dont have experience with 5.5 so im not sure if this will work for you but its worth a shot.

    Here is the process here:  https://williamlam.com/2013/04/automating-ssl-certificate-regeneration.html




  • 3.  RE: STS certificate expiration

    Posted Nov 14, 2024 10:16 AM
    Edited by flipflip Nov 14, 2024 10:25 AM

    Hello,

    thank you for your response. I tried this solution, but whether the allow_regeneration file is empty or contains the value only-once, unfortunately, I get the same error upon restart and no new certificates are generated :(

    [...]:/etc/vmware-vpx/ssl # ll
    total 28
    -r-------- 1 root root 1773 May 24  2023 rui-ca-cert.pem
    -rw------- 1 root root 3432 May 24  2023 rui.crt
    -r-------- 1 root root 1679 May 24  2023 rui.key
    -r-------- 1 root root 4140 May 24  2023 rui.pfx
    -rw-r--r-- 1 root root 1241 Nov 12  2014 sms.keystore
    -rw-r--r-- 1 root root 1245 Aug 12 08:58 sms.truststore
    [...]:/etc/vmware-vpx/ssl # 

    In the comments, it was suggested to move the certificates, but even doing that, no new certificates are generated.

    Philippe.