• 由于证书过期并显示以下错误，因此vCenter / PSC服务无法启动：

错误com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl $ RequestResponseProcessor opId =]服务器拒绝了所提供的时间范围。原因：ns0：InvalidTimeRange：令牌颁发机构拒绝了TimePeriod的发布请求[startTime = Thu Jan 02 09:22:13 EST 2020，endTime = Fri Jan 03 09:22:13 EST 2020] ::签名证书在2020年EST 1月2日星期四09:22:13，证书有效期：TimePeriod [

• 登录到Web客户端时，观察到以下错误：

• 如果由于证书过期而导致vmware-vpxd服务未运行，则访问WebClient或UI Client将显示以下错误消息

 

• 如果可访问WebClient，则可能会抛出错误消息“

• 无法替换PSC或VC上的任何证书，因为它无法在注册服务上重新注册服务
• 无法使用lstool从查找服务中手动添加/修改/删除注册
• 无法部署新的PSC并进行跨域重定向
• 无法将新的PSC部署为现有SSO域上的复制伙伴

1. 下载此kb随附的“ fixsts.sh”脚本，然后将其上载到/ tmp文件夹中的受影响的PSC或具有嵌入式PSC的VC，或者使用vi将其内容复制到设备上的文本文件中
2. cd到/ tmp文件夹
3. 运行chmod + x fixsts.sh以使文件可执行
4. 运行./fixsts.sh
5. 通过使用以下命令在SSO域中的所有vCenter和/或PSC上重新启动服务：

   service-control --stop --all
   service-control --start --all

   注意：  如果还有其他已过期的证书（例如，机器SSL或解决方案用户。继续进行下一步，以识别和替换那些过期的证书。

6. 检查到期和替换，你可能有其他任何过期的证书，使用证书管理器，如图如何使用vSphere证书管理器，以取代SSL证书  或按照选项8所示，  如何使用自签名VMCA再生的vSphere 6.x的证书  ，如果计算机SSL和解决方案用户证书均已过期
   • 以下单行代码可以确定vCenter Server Appliance的其他过期证书：

注意：  如果您使用的是不带网关的HLM（混合链接模式），则需要按照以下步骤

将证书从Cloud重新同步到本地，脚本将要求SSO管理员密码，然后继续进行操作。重新生成并替换STS证书。

这是成功输出的一个例子

注意：这适用于外部和嵌入式PSC。
此脚本将执行以下操作
1：重新生成STS证书
需要什么？
1：VC / PSC的脱机快照
2：SSO管理员密码
重要：每个SSO域只能在单个PSC上运行此脚本
===================== =============
重设vcsa1.gsslabs.org的STS证书于5月22日星期五14:39:40 UTC 2020

检测到DN：cn = vcsa1.gsslabs.org，ou =域控制器，dc = vsphere，dc = local
检测到的PNID：vcsa1.gsslabs.org
检测到的PSC：vcsa1.gsslabs.org
检测到的SSO域名：vsphere.local
检测到的计算机ID：ce510c87-35e6-444e-82f0-60a7527608a3
检测到的IP地址：192.168.0.51
域名CN：DC = vSphere中，DC =本地
==================================
====== ============================

检测到的根证书截止日期：2030年5月16
检测到今天的日期：2020年5月22日
====== =============================

导出和生成STS证书

状态：成功
使用配置文件：/tmp/vmware-fixsts/certool.cfg
状态：成功

输入administrator@vsphere.local的密码：
租户凭证的数量：1将
租户和trustedcertchain 1 导出到/ tmp / vmware-fixsts

删除租户和trustedcertchain 1

将新生成的STS证书应用于SSO域
添加新条目“ cn = TenantCredential-1，cn = vsphere.local，cn = Tenants，cn = IdentityManager，cn = Services，dc = vsphere，dc = local”

添加新条目“ cn = TrustedCertChain-1，cn = TrustedCertificateChains， cn = vsphere.local，cn =租户，cn = IdentityManager，cn =服务，dc = vsphere，dc = local“

替换完成-请重新启动SSO域中所有vCenter和PSC上的服务
========== ===============================================================================================================）
重要：如果使用的是没有网关的HLM（混合链接模式），则需要重新同步从云的证书为On-炳廷按照此过程后
==================================
==== =============================

注意：尝试运行脚本时，您可能会收到错误消息：
bash：./recreate_machine.sh：/ bin / bash ^ M：错误的解释器：没有这样的文件或目录
此错误是由从基于Windows的文本编辑器复制时将DOS回车添加到脚本中引起的。要解决此问题，请运行以下命令并重新运行脚本：

sed -i -e's / \ r $ //'fixsts.sh

• vCenter/PSC Services do not start due to expired certificate showing the following errors:

ERROR com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor  opId=] Server rejected the provided time range. Cause:ns0:InvalidTimeRange: The token authority rejected an issue request for TimePeriod [startTime=Thu Jan 02 09:22:13 EST 2020, endTime=Fri Jan 03 09:22:13 EST 2020] :: Signing certificate is not valid at Thu Jan 02 09:22:13 EST 2020, cert validity: TimePeriod [

• The following error is observed when logging into the Web Client:

• Accessing WebClient or UI Client will show below error message if vmware-vpxd service is not running due to expired certificate

 

• If WebClient is accessible, it might throw error message

• Unable to replace any certificate on either PSC or VC because it fails to re-register services on lookup service
• Unable to add/modify/delete registrations from lookup service manually using lstool
• Cannot deploy a new PSC and do a cross domain repoint
• Cannot deploy a new PSC as a replication partner on the existing SSO domain

1. Download the "fixsts.sh" script attached to this kb and upload to the impacted PSC or VC with embedded PSC in the /tmp folder, or copy its contents to a text file on the appliance using vi
2. cd to /tmp folder
3. Run chmod +x fixsts.sh to make the file executable
4. Run ./fixsts.sh
5. Restart services on all vCenters and/or PSCs in your SSO domain by using below commands:

   service-control --stop --all
   service-control --start --all

   Note: Restart of services will fail if there are other expired certificates like Machine SSL or Solution User. Proceed with next step to identify and replace those expired certificates.

6. Check for expiration and replace any other expired certificates you might have, using certificate manager as shown in How to use vSphere Certificate Manager to Replace SSL Certificates or follow Option 8 as shown in How to regenerate vSphere 6.x certificates using self-signed VMCA if both Machine SSL and Solution User certificates are expired
   • The following one-liner can determine other expired certificates for the vCenter Server Appliance:

Note: In case you're using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure

The script will ask for the SSO administrator password and then proceed to regenerate and replace STS certificate.

This is an example of a successful output

NOTE: This works on external and embedded PSCs
This script will do the following
1: Regenerate STS certificate
What is needed?
1: Offline snapshots of VCs/PSCs
2: SSO Admin Password
IMPORTANT: This script should only be run on a single PSC per SSO domain
==================================
Resetting STS certificate for vcsa1.gsslabs.org started on Fri May 22 14:39:40 UTC 2020

Detected DN: cn=vcsa1.gsslabs.org,ou=Domain Controllers,dc=vsphere,dc=local
Detected PNID: vcsa1.gsslabs.org
Detected PSC: vcsa1.gsslabs.org
Detected SSO domain name: vsphere.local
Detected Machine ID: ce510c87-35e6-444e-82f0-60a7527608a3
Detected IP Address: 192.168.0.51
Domain CN: dc=vsphere,dc=local
==================================
==================================

Detected Root's certificate expiration date: 2030 May 16
Detected today's date: 2020 May 22
==================================

Exporting and generating STS certificate

Status : Success
Using config file : /tmp/vmware-fixsts/certool.cfg
Status : Success

Enter password for administrator@vsphere.local:
Amount of tenant credentials: 1
Exporting tenant and trustedcertchain 1 to /tmp/vmware-fixsts

Deleting tenant and trustedcertchain 1

Applying newly generated STS certificate to SSO domain
adding new entry "cn=TenantCredential-1,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local"

adding new entry "cn=TrustedCertChain-1,cn=TrustedCertificateChains,cn=vsphere.local,cn=Tenants,cn=IdentityManager,cn=Services,dc=vsphere,dc=local"

Replacement finished - Please restart services on all vCenters and PSCs in your SSO domain
==================================
IMPORTANT: In case you're using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedure
==================================
==================================

Note:You may receive an error when you try to run the script:
bash:  ./recreate_machine.sh: /bin/bash^M: bad interpreter: No such file or directory
This error is caused by DOS carriage returns added to the script when copying from a Windows based text editor.  To resolve this problem, run the following command and rerun the script:

sed -i -e 's/\r$//' fixsts.sh