AutoDeploy errors after vCenter Certificate change
Recently I changed my vCenter Certificate. But the AutoDeploy Service didn’t learned the new vCenter Certificate. So I got errors in /var/log/vmware/rbd/rbd-syslog.log
Server has wrong SHA thumbprint: b6400b7d184a6c47a00cfb9e1ec7e739e8bf472b (required) != 37d257791d978852037c4bbea74d777409bea71d (server)
err rbd [38480]pluginmaster:ERROR:exception:rbdplugins.addhost.vmwProvisionHost -- Server has wrong SHA thumbprint: 6307cf0a1c33fb9a0b6bbf0f8c29616cf12e9966 (required) != f64c7235b432187c1e55ace1aeef640551c72d8c (server)
AutoDeploy partially continues to work. Configured Hosts could boot successfully. But changes that requires the rbd DB does not work like delete or add new Hosts, change Image etc.
So first step was to check via lsdoctor about a certificate problem. https://kb.vmware.com/s/article/80469?lang=en_US&queryTerm=lsdoctor
root@myvCenter-01 [ /home/lsdoctor/lsdoctor-master ]# python lsdoctor.py -l
ATTENTION: You are running a reporting function. This doesn't make any changes to your environment.
You can find the report and logs here: /var/log/vmware/lsdoctor
2022-01-18T07:36:15 INFO main: You are reporting on problems found across the SSO domain in the lookup service. This doesn't make changes.
2022-01-18T07:36:15 INFO live_checkCerts: Checking services for trust mismatches...
2022-01-18T07:36:15 INFO generateReport: Listing lookup service problems found in SSO domain
2022-01-18T07:36:15 INFO generateReport: No issues detected in the lookup service entries for myvCenter-01.mytestdom.com (VC 7.0 or CGW).
2022-01-18T07:36:15 INFO generateReport: Report generated: /var/log/vmware/lsdoctor/myvCenter-01.mytestdom.com-2022-01-18-073615.json
Lsdoctor doesn’t show any errors.
So we looked in the rbd DB for the configured thumbprint.
root@myvCenter-01 [ ~ ]# sqlite3 /var/lib/rbd/db
SQLite version 3.32.1 2020-05-25 16:19:56
Enter ".help" for usage hints.
sqlite> select * from vc_servers;
1|{myvCenterIP}|80|BEA0F084-D699-42C9-B2C8-AF2CB8C0EF6B|8088|B6:40:0B:7D:18:4A:6C:47:A0:0C:FB:9E:1E:C7:E7:39:E8:BF:47:2B
Let’s check if this is the right one or the outdated!
root@myvCenter-01 [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store BACKUP_STORE --alias bkp___MACHINE_CERT --output /tmp/oldmachinessl.crt
root@myvCenter-01 [ ~ ]# /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /tmp/machineSSL.crt
root@myvCenter-01 [ ~ ]# openssl x509 -in /tmp/machineSSL.crt -fingerprint -noout
SHA1 Fingerprint=37:D2:57:79:1D:97:88:52:03:7C:4B:BE:A7:4D:77:74:09:BE:A7:1D
root@myvCenter-01 [ ~ ]# openssl x509 -in /tmp/oldmachinessl.crt -fingerprint -noout
SHA1 Fingerprint=B6:40:0B:7D:18:4A:6C:47:A0:0C:FB:9E:1E:C7:E7:39:E8:BF:47:2B
We could see in the rbd DB is the old thumbprint that ends with “47:2B” and we have to change it to the one that ends with “A7:1D”.
root@myvCenter-01 [ ~ ]# service-control --stop vmware-rbd-watchdog
Operation not cancellable. Please wait for it to finish...
Performing stop operation on service rbd...
Successfully stopped service rbd
root@myvCenter-01 [ ~ ]# sqlite3 /var/lib/rbd/db
SQLite version 3.32.1 2020-05-25 16:19:56
Enter ".help" for usage hints.
sqlite> select * from vc_servers;
1|{myvCenterIP}|80|BEA0F084-D699-42C9-B2C8-AF2CB8C0EF6B|8088|B6:40:0B:7D:18:4A:6C:47:A0:0C:FB:9E:1E:C7:E7:39:E8:BF:47:2B
update vc_servers set thumbprint = "37:D2:57:79:1D:97:88:52:03:7C:4B:BE:A7:4D:77:74:09:BE:A7:1D";
sqlite> select * from vc_servers;
1|myvCenterIP|80|BEA0F084-D699-42C9-B2C8-AF2CB8C0EF6B|8088|37:D2:57:79:1D:97:88:52:03:7C:4B:BE:A7:4D:77:74:09:BE:A7:1D
sqlite> .quit
root@myvCenter-01 [ ~ ]#
root@myvCenter-01 [ ~ ]# service-control --start vmware-rbd-watchdog
Operation not cancellable. Please wait for it to finish...
Performing start operation on service rbd...
Successfully started service rbd
That’s it 😉