VxRail Certificat renew

Hi,

Thanks for your question.

Which version of Vxrail are you using? That process to renew the certificate should work. This may help as well. https://dell.to/4axV3rd

Let us know if you have any additional questions.

Hi Josh,

thanks to your answered.

The version of vxrail 7.0.401-27760824.

Concerning the article you posted, I already read it, but don't know if it can be apply to my situation. All vCenter certificats are OK (SSL / VMCA / STS / hosts). If renew all of these can solve the problem for this VxRail certificate, I'll have some change to do on backup configuration, but every go.

Right now I'm worries because I don't understand which certificat has been used on VxRail manager and where I can check it or change it.

On the same page there was another link to replace certificate in vcenter for vxrail appliance (https://www.dell.com/support/kbdoc/en-us/000077894/vxrail-how-to-replace-certificate-in-vcenter-for-vxrail-appliance) but got an error (and no change after vmware-marvin restart)

That should have worked, maybe it is something with the account that it showing it as unauthorized. You may need to call phone support. 

Hello ALAV.

If you have active support with this cluster, it's recommended open a SR for cert upgrade. This is a good opportunity to learn from the support expirience. I've done it.

This process have two steps

- vCenter Cert update

- VxRail Manager vCenter Cert import.

The support engineer has some very helpful tools.

You can check the cert expiration date with this command fron vCenter SSH interface. This is a one line instruction (a little long)

for store in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list | grep -v TRUSTED_ROOT_CRLS); do echo "[*] Store :" $store; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $store --text | grep -ie "Alias" -ie "Not After";done;

The result is something like this

[*] Store : MACHINE_SSL_CERT
Alias : __MACHINE_CERT
            Not After : Jan 30 18:57:10 2025 GMT
[*] Store : TRUSTED_ROOTS
Alias : skhfjhghvhdfbvnfajkb
            Not After : Apr 20 19:06:50 2032 GMT
Alias : nakjfbb74y7yjfbfuh3q04iu2y
            Not After : Jan 25 19:07:10 2033 GMT
[*] Store : machine
Alias : machine
            Not After : Jan 30 18:57:11 2025 GMT
[*] Store : vsphere-webclient
Alias : vsphere-webclient
            Not After : Jan 30 18:57:12 2025 GMT
[*] Store : vpxd
Alias : vpxd
            Not After : Jan 30 18:57:12 2025 GMT
[*] Store : vpxd-extension
Alias : vpxd-extension
            Not After : Jan 30 18:57:13 2025 GMT
[*] Store : hvc
Alias : hvc
            Not After : Jan 30 18:57:13 2025 GMT
[*] Store : data-encipherment
Alias : data-encipherment
            Not After : Jan 25 19:07:10 2033 GMT
[*] Store : APPLMGMT_PASSWORD
Alias : location_password_default
[*] Store : SMS
Alias : sms_self_signed
            Not After : Apr 26 19:10:59 2032 GMT
[*] Store : wcp
Alias : wcp
            Not After : Jan 25 19:07:10 2033 GMT

No active support I think --', it's a platform we wanted to replace last year, but...

Thanks for your feeback Carlos. I planned to change VMCA certificate and all other cert, but when I'm applying the new one, I got an error when it's about commvault and vxrail (two product I want to leave since ....)

Concerning the command, I already tried too, but it's only certificate on the vcenter, but in my context, the vxrail manager certificat is an auto-signed which I locate only on the VxRail manager appliance.

when I see issue on vxrail manager to update certificat and issue when I want to change the vmca certificat, I think there is a big problem somewhere... and I think is due to an update of the platform by the previous company responsible of this. what I saw is that the platform was in version 4.7 and move to 7.

Some commande are not available. for example, I tried the script indicated on this one : Mettre à jour le certificat VxRail Manager  but got an error because docker container was not found. I understarnd it was on v4.7, but it's a different process on v7, but not present....

Hello,

When I renew VMCA certificates, I then simply have to run a script on my VXRail Manager VM by running the command > python /tmp/cert_util.py

It is explained on this KB:
https://www.dell.com/support/kbdoc/en-py/000077894/vxrail-how-to-replace-certificate-in-vcenter-for-vxrail-appliance

Hello @FeelFrench​, that's what I tried and indicate on my first answered to Josh and the result was on my screenshot => You must be logged in to the server (unauthorized)

just for following,

After trying a lot of things (thanks god to have one platform without any production machine, and a good Snapshot/backup system :D), I found script in /etc/vmware-marvin/scripts/lcm/scripts named vxmCertGenerationScript.sh. After launched, new autosigned certificate has been generated and I can see it has been changed when I check on the API webpage. 

But, of course, not enough... Since I have the new certificate, vCenter don't validate the connexion. When I go to the plugin webpage or vxrails settings on Configuration tab from the cluster, I get an error about SSL. 

Maybe another script could allow me to update the configuraiton, but I guess I need to remove the plugin and add it again, I don't know how to do the second part.

These instructions should work for reinstalling the plugin https://dell.to/3WMRXdh

Hi Josh,

I can't access to you link, it said Page not found.

On my side, I finally found a solution. After changing the certificate, I went to the Cluster > Summary > Custom Attributes section, and changed the attibute for the thumbprint to the new one (that I get with the command from the vxrail manager "openssl s_client -connect localhost:443 | openssl x509 -fingerprint -noout -sha1").

With this, I have access again to the vxrail configuration from the vCenter, but always with the reneweal of the certificat at 25%.

I check on the mob page https://vcenter_IP/mob/?moid=ExtensionManager&doPath=extensionList%5b%22com.vmware.vxrail%22%5d.server but the pluggin ssl thumbprint has not changed yet.

I found a script named "registrer_vxm_plugin_47300.py" on different website to registrar the vxrail again. But not working to.

At this point, I guess I'll let this like that, and do nothing, if the only issue I get is to follow this certificate.

I just came here looking for this exact topic, as our vxrail manager cert is also about to expire like above.

These links above refer to vcenter certs, those are all fine and have been recently renewed. My issue is just this vxrail manager cert, our cluster is just about 2 years old so this is the first time i've done this.  Should i open a support ticket, or what is the normal process if everything is working ok?

Yes, calling phone support is the best option.