vCenter Single Sign-On – no healthy upstream
Tra le migliaia di cause per questo dannato errore di “no healthy upstream” c’è anche la possibilità che i certificati interni siano scaduti.
Ci troviamo con una pagina bianca (o scura, a seconda del tema…) e la sola dicitura “no healthy upstream”:
Tra le possibili soluzioni, prima di tentare una reinstallazione completa del vCenter, verifichiamo che i certificati siano ok. Da una sessione SSH proviamo a fare un controllo
root@vcenter [ /etc/vmware/vsphere-ui ]# for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;Otteniamo un elenco dei certificati e delle scadenze
[*] Store : MACHINE_SSL_CERT
Alias : __MACHINE_CERT
Not After : Nov 1 10:26:08 2022 GMT
[*] Store : TRUSTED_ROOTS
Alias : b88fd8df2674612aaadccbac0140ace59464a9d0
Not After : Oct 26 22:26:08 2030 GMT
[*] Store : machine
Alias : machine
Not After : Oct 26 22:26:08 2030 GMT
[*] Store : vsphere-webclient
Alias : vsphere-webclient
Not After : Oct 26 22:26:08 2030 GMT
[*] Store : vpxd
Alias : vpxd
Not After : Oct 26 22:26:08 2030 GMT
[*] Store : vpxd-extension
Alias : vpxd-extension
Not After : Oct 26 22:26:08 2030 GMT
[*] Store : hvc
Alias : hvc
Not After : Oct 26 22:26:08 2030 GMT
[*] Store : data-encipherment
Alias : data-encipherment
Not After : Oct 26 22:26:08 2030 GMT
[*] Store : APPLMGMT_PASSWORD
[*] Store : SMS
Alias : sms_self_signed
Not After : Oct 31 22:31:21 2030 GMT
[*] Store : wcp
Alias : wcp
Not After : Oct 31 22:23:31 2022 GMTCi sono un paio di certificati scaduti, dannato mondo. Andiamo nella cartella /usr/lib/vmware-vmca/bin e eseguiamo il certificate-manager
root@vcenter [ /usr/lib/vmware-vmca/bin ]# ./certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 6.8 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| NOTE: Solution user certs will be deprecated in a future |
| release of vCenter. Refer to release notes for more details.|
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 8Resettiamo tutto con l’opzione “8”, se serve possiamo:
# service-control --stop vsphere-ui
# service-control --start vsphere-uiDovrebbe essere tutto ok 🙂