当前位置： 首页 > news >正文

宁波建网站推荐,自助网站建设哪家效益快,国土资源网站建设方案,速加网零件加工网概述 早期VMware的用户随后“十年之期”已到#xff0c;陆陆续续出现各种登录问题#xff0c;证书报错告警等#xff0c;主要包含6.5到7.0的版本#xff0c;VMware服务器虚拟化环境涉及的证书及类型较多#xff0c;在实际更新中会出现各种奇怪的问题#xff0c;有些坑耗…概述 早期VMware的用户随后“十年之期”已到陆陆续续出现各种登录问题证书报错告警等主要包含6.5到7.0的版本VMware服务器虚拟化环境涉及的证书及类型较多在实际更新中会出现各种奇怪的问题有些坑耗费了大量的troubleshooting时间极端情况下一天能看到十多遍如下报错 Reset status : 85% Completed [starting services…] Error while starting services, please see service-control log for more details Status : 0% Completed [Reset operation failed]please see /var/log/vmware/vmcad/certificate-manager.log for more information. 本文整理了一个近期的更新案例以及之前处理过的一些问题仅作参考 证书类型简介 一套vCenter的运行环境主要包含以下一些证书在需要整体证书更新的场景中均需要进行评估 CA根证书颁发机构用于签发其他组件的证书其他证书的有效期不会超过根证书 SSL证书用于计算机的安全 SSL 连接vCenter 主机的 HTTPS 通信如 Web UI、API 访问 主要的解决方案证书 STS证书用于 vCenter SSOSingle Sign-On身份验证和令牌签发更新方式与其他证书不同主机内部证书当主机被vCenter托管后用于vCenter 与 ESXi 主机间的双向认证
vCenter6.7环境证书更新案例 前不久刚为一个纯IP部署的VCSA6.7环境更新了从root密码到所有相关联证书的更新相当具有代表性和说服力一方面6.7和7.0环境应该是目前需要证书更新的“主力军”另一方面6.7在某些操作上因为环境原因会更为复杂更有举例的价值 需要重点做下说明网上及官方文章基本是基于域名部署的vCenter基本没有纯IP部署的环境以下通过Lab环境还原几天前生产环境的一个证书更新案例 原生产环境概述 VCSA使用IP部署于2015年部署使用整10年近期VC内逐步出现STS证书主机证书等相关证书告警root账户已无法正常登录 文内涉及的一些工具见附件开始操作前做好完成备份并记录快照 root账户密码重置 用户基本从没用过root账号当前root账户也理所应当的被锁了因此首先重置root账号 重启VCSA进入如下引导界面后按键盘“e”进入启动编辑项 在启动编辑项内consoleblank0 后面添加rw init/bin/bash如下图完成后按F10启动
进入编辑模式使用passwd直接重置root密码

重置root密码

root [/]# passwd

重启

root [/]# umount / root [/]# reboot -froot密码的默认修改周期为90天若不希望频繁修改可使用passwd -x 命令修改天数以下案例将周期更改为10年
STS证书更新 vCenter正常启动后使用CLI工具SSH连入vCenter运行shell进入BASH 首先运行chsh -s /bin/bash root用于WinSCP连入后自动进入BASH否则连接会报错 Connected to service* List APIs: help api list* List Plugins: help pi list* Launch BASH: shellCommand Command shell Shell access is granted to root rootphoton-machine [ ~ ]# rootphoton-machine [ ~ ]# chsh -s /bin/bash root打开WinSCP输入相关信息连接 导航到/tmp目录将可能用到的脚本及工具等拖入其中 进入/tmp目录运行check脚本检查当前sts证书状态 rootphoton-machine [ ~ ]# cd /tmp rootphoton-machine [ /tmp ]# python checksts.py2 VALID CERTS LEAF CERTS:[] Certificate 82:BE:A4:FD:2A:4F:D5:00:0B:7E:5A:0C:D8:59:8F:8F:FF:53:D7:A1 will expire in 3643 days (10 years).ROOT CERTS:[] Certificate 40:3B:B4:97:41:B8:22:3C:9E:C4:67:03:1B:46:D8:6D:C9:13:3E:AB will expire in 3643 days (10 years).0 EXPIRED CERTS LEAF CERTS:NoneROOT CERTS:None rootphoton-machine [ /tmp ]# 运行fixsts脚本自动进行续订 rootphoton-machine [ /tmp ]# chmod x fixsts.sh rootphoton-machine [ /tmp ]# ./fixsts.sh NOTE: This works on external and embedded PSCs This script will do the following 1: Regenerate STS certificate What is needed? 1: Offline snapshots of VCs/PSCs 2: SSO Admin Password IMPORTANT: This script should only be run on a single PSC per SSO domainResetting STS certificate for photon-machine started on Sat Jun 14 16:43:54 UTC 2025Detected DN: cn10.102.102.55,ouDomain Controllers,dcvsphere,dclocal Detected PNID: 10.102.102.55 Detected PSC: 10.102.102.55 Detected SSO domain name: vsphere.local Detected Machine ID: 660063d0-76b8-4013-82f1-c40a54e6d252 Detected IP Address: 10.102.102.55 Domain CN: dcvsphere,dclocalDetected Roots certificate expiration date: 2035 Jun 5 Detected todays date: 2025 Jun 14 Exporting and generating STS certificateStatus : Success Using config file : /tmp/vmware-fixsts/certool.cfg Status : SuccessEnter password for administratorvsphere.local: Amount of tenant credentials: 1 Exporting tenant 1 to /tmp/vmware-fixstsDeleting tenant 1Amount of trustedcertchains: 1 Exporting trustedcertchain 1 to /tmp/vmware-fixstsDeleting trustedcertchain 1Applying newly generated STS certificate to SSO domain adding new entry cnTenantCredential-1,cnvsphere.local,cnTenants,cnIdentityManager,cnServices,dcvsphere,dclocaladding new entry cnTrustedCertChain-1,cnTrustedCertificateChains,cnvsphere.local,cnTenants,cnIdentityManager,cnServices,dcvsphere,dclocalReplacement finished - Please restart services on all vCenters and PSCs in your SSO domainIMPORTANT: In case youre using HLM (Hybrid Linked Mode) without a gateway, you would need to re-sync the certs from Cloud to On-Prem after following this procedurerootphoton-machine [ /tmp ]# 续订后继续运行check脚本进行检查若信息显示有异常可使用以下命令进行sts证书详细信息的输出及确认期间需要提供LDAP密码即SSO管理员账号凭据 DMN\((/usr/lib/vmware-vmafd/bin/vmafd-cli get-domain-name --server-name localhost); DMN_DNdc\)(echo \(DMN | sed -e s/\./\,dc/g); ldapsearch -H ldap://localhost -D cnadministrator,cnusers,\)DMN_DN -W -b cntenantcredential-1,cn\(DMN,cnTenants,cnIdentityManager,cnServices,\)DMN_DN userCertificate -o ldif-wrapno | sed -s -n 11p | sed s/userCertificate:: // | awk {print —–BEGIN CERTIFICATE—–\n\(0\n-----END CERTIFICATE-----}|openssl x509 -noout -text -in /dev/stdin最后重启所有服务 VMCA证书更新CA根证书及SSL证书等 此部分是更新证书的核心内容首先使用命令查询当前VMCA内证书的状态应该于WebUI内看到的一致如果还没过期 rootphoton-machine [ /tmp ]# for i in \)(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE \(i; /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store \)i –text | egrep Alias|Not After; done STORE MACHINE_SSL_CERT Alias : __MACHINE_CERTNot After : Jun 10 19:02:40 2027 GMT STORE TRUSTED_ROOTS Alias : 403bb49741b8223c9ec467031b46d86dc9133eabNot After : Jun 5 07:02:40 2035 GMT STORE TRUSTED_ROOT_CRLS Alias : 02192decad8481f819ffe52cd7c709c8f94b525f Alias : 216edf2bf306d42ba42d17bbea1cd282abcc3da1 STORE machine Alias : machineNot After : Jun 10 06:53:24 2027 GMT STORE vsphere-webclient Alias : vsphere-webclientNot After : Jun 10 06:53:25 2027 GMT STORE vpxd Alias : vpxdNot After : Jun 10 06:53:25 2027 GMT STORE vpxd-extension Alias : vpxd-extensionNot After : Jun 10 06:53:26 2027 GMT STORE APPLMGMT_PASSWORD STORE data-encipherment Alias : data-enciphermentNot After : Jun 10 06:55:15 2027 GMT STORE SMS Alias : sms_self_signedNot After : Jun 10 07:07:18 2035 GMT rootphoton-machine [ /tmp ]# 在更新前确认如下内容 当前的Hostname与PNID在FQDN部署的vCenter场景下这两个值应该一致若不一致需要进行修改参考后文。纯IP部署环境无强制要求确认vCenter的Host内容在FQDN环境下需要确认是否有当前IP于FQDN的记录若有异常需要进行修改同时不论在任何环境下记录Hosts内出现的所有IP及域名 rootphoton-machine [ /tmp ]# hostname photon-machine rootphoton-machine [ /tmp ]# rootphoton-machine [ /tmp ]# /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid –server-name localhost 10.102.102.55 rootphoton-machine [ /tmp ]# rootphoton-machine [ /tmp ]# cat /etc/hosts

Begin /etc/hosts (network card version)127.0.0.1 localhost.localdomain

127.0.0.1 localhost 127.0.0.1 photon-machine

End /etc/hosts (network card version)

rootphoton-machine [ /tmp ]# /usr/lib/vmware-vmca/bin/certificate-manager进入VMCA选择8重新签订所有证书 按照向导提供相关证书信息这一步是关键的关键注意几点 整体基本Y下一步其中的一些地理信息包括CountryStateLocality建议根据实际情况进行填写IPAddress选项建议同时输入IP及127.0.0.1重要在Hostname中如果是FQDN环境一般输入完整域名即可在IP环境建议输入在Hosts内看到的所有域名及IP记录在很多场景仅使用IP会导致服务启动失败 Note : Use Ctrl-D to exit. Option[1 to 8]: 8 Do you wish to generate all certificates using configuration file : Option[Y/N] ? : YPlease provide valid SSO and VC privileged user credential to perform certificate operations. Enter username [Administratorvsphere.local]: Enter password:Please configure certool.cfg with proper values before proceeding to next step.Press Enter key to skip optional parameters or use Default value.Enter proper value for Country [Default value : US] : CNEnter proper value for Name [Default value : CA] : CAEnter proper value for Organization [Default value : VMware] :Enter proper value for OrgUnit [Default value : VMware Engineering] :Enter proper value for State [Default value : California] :JiangsuEnter proper value for Locality [Default value : Palo Alto] :Suzhou ##输入相关IP信息 Enter proper value for IPAddress (Provide comma separated values for multiple IP addresses) [optional] : 10.102.102.55,127.0.0.1Enter proper value for Email [Default value : emailacme.com] : ##建议提供所有相关的域名及IP信息 Enter proper value for Hostname (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : localhost.localdomain,loc alhost,photon-machine,10.102.102.55,127.0.0.1Enter proper value for VMCA Name :VMCA-New Continue operation : Option[Y/N] ? : yYou are going to reset by regenerating Root Certificate and replace all certificates using VMCA Continue operation : Option[Y/N] ? : y Get site nameCompleted [Reset Machine SSL Cert…] default-site Lookup all services Get service default-site:13689399-d4bf-41d0-a54f-3ead3d35235b Update service default-site:13689399-d4bf-41d0-a54f-3ead3d35235b; spec: /tmp/svcspec_lrchgbz6 Get service default-site:f03dccff-f154-4328-ac48-ae43416b7543 Update service default-site:f03dccff-f154-4328-ac48-ae43416b7543; spec: /tmp/svcspec_nkmsde0z Get service default-site:100d1ab0-000b-48b7-bca8-a40d4bcde98c Update service default-site:100d1ab0-000b-48b7-bca8-a40d4bcde98c; spec: /tmp/svcspec_zluap0vc Get service 804a3871-c07d-40ff-bd3f-6cd78c2a4df4_com.vmware.vsphere.client Dont update service 804a3871-c07d-40ff-bd3f-6cd78c2a4df4_com.vmware.vsphere.client Get service 2ee86ea8-18e1-4b9e-87fb-297a145bb2dc Update service 2ee86ea8-18e1-4b9e-87fb-297a145bb2dc; spec: /tmp/svcspec_gh44w9o8 Get service befcd8a6-8724-42c8-8cfa-533acf7973ef Update service befcd8a6-8724-42c8-8cfa-533acf7973ef; spec: /tmp/svcspec_xlbe8joc Get service a43d5048-cc03-4609-a120-8c48fb51e9c2 Update service a43d5048-cc03-4609-a120-8c48fb51e9c2; spec: /tmp/svcspec_hhw655yz Get service 0bf9f611-8588-4e18-941f-d0714dccdb5e Update service 0bf9f611-8588-4e18-941f-d0714dccdb5e; spec: /tmp/svcspec_fs5dpcp0 Get service 970effb6-6e6f-4a56-93c9-c04566b102d6 Update service 970effb6-6e6f-4a56-93c9-c04566b102d6; spec: /tmp/svcspec_3x8282su Get service 0b99acad-b6c1-451e-a959-c465981b4875 Update service 0b99acad-b6c1-451e-a959-c465981b4875; spec: /tmp/svcspec_qn77w9bh Get service c5a9f421-2bb0-4982-9d16-22684bca2c6a Update service c5a9f421-2bb0-4982-9d16-22684bca2c6a; spec: /tmp/svcspec_yq79ljg2 Get service 490a8654-46d6-48b0-8cbf-bc8da3da38ca Update service 490a8654-46d6-48b0-8cbf-bc8da3da38ca; spec: /tmp/svcspec_fxly36nl Get service 804a3871-c07d-40ff-bd3f-6cd78c2a4df4 Update service 804a3871-c07d-40ff-bd3f-6cd78c2a4df4; spec: /tmp/svcspec_hgfpyxmd Get service 3157def3-5fd5-4dfd-839a-a3ae7709bbb3 Update service 3157def3-5fd5-4dfd-839a-a3ae7709bbb3; spec: /tmp/svcspec_14zjgiat Get service c0709008-9dd4-4466-8a44-e80eb92856e7 Update service c0709008-9dd4-4466-8a44-e80eb92856e7; spec: /tmp/svcspec_qwa4uo64 Get service 373ac891-263b-4f55-b209-d30ddfe6787f Update service 373ac891-263b-4f55-b209-d30ddfe6787f; spec: /tmp/svcspec_i4urx15k Get service 5854f351-8ebd-4f8f-9555-f2d6efd14023 Update service 5854f351-8ebd-4f8f-9555-f2d6efd14023; spec: /tmp/svcspeckqpb8ot Get service 6f63bae6-2a9c-4769-9b51-39654d23b421 Update service 6f63bae6-2a9c-4769-9b51-39654d23b421; spec: /tmp/svcspec_w1zb1u5k Get service efa50d73-fef7-48ff-ac76-15f15179bbcd Update service efa50d73-fef7-48ff-ac76-15f15179bbcd; spec: /tmp/svcspec_t562ao08 Get service c5a9f421-2bb0-4982-9d16-22684bca2c6a_kv Update service c5a9f421-2bb0-4982-9d16-22684bca2c6a_kv; spec: /tmp/svcspec_6bzxghhj Get service b95feae0-aacd-47bc-a120-3177a1959d88 Update service b95feae0-aacd-47bc-a120-3177a1959d88; spec: /tmp/svcspec_7u0xihti Get service 58996040-ee24-4e3e-8290-8e39952684f0 Update service 58996040-ee24-4e3e-8290-8e39952684f0; spec: /tmp/svcspec_yu5fbv2d Get service 34eed7ab-33ca-4868-8129-ef91c3827902 Update service 34eed7ab-33ca-4868-8129-ef91c3827902; spec: /tmp/svcspec_0lliwhh9 Get service 305eaace-3f9f-4841-be06-2b6d6c245593 Update service 305eaace-3f9f-4841-be06-2b6d6c245593; spec: /tmp/svcspec_zfbntedw Get service c5a9f421-2bb0-4982-9d16-22684bca2c6a_authz Update service c5a9f421-2bb0-4982-9d16-22684bca2c6a_authz; spec: /tmp/svcspec_kqy_yewm Get service 49d9dde5-8d5a-47ac-8370-f8543ab46c6c Update service 49d9dde5-8d5a-47ac-8370-f8543ab46c6c; spec: /tmp/svcspec_8rlr2nyx Get service 2eedaf37-6b19-4525-a373-5d0c686478a4 Update service 2eedaf37-6b19-4525-a373-5d0c686478a4; spec: /tmp/svcspec_ny6d0vdk Get service c049cc57-ec94-49be-a1f1-c4319cd0926b Update service c049cc57-ec94-49be-a1f1-c4319cd0926b; spec: /tmp/svcspec_ejdn9ezx Get service df235693-49bf-4fe5-ad07-ed231f9b2d1d Update service df235693-49bf-4fe5-ad07-ed231f9b2d1d; spec: /tmp/svcspec_rw0kld8h Get service 43bdbdcc-2d98-419c-ac17-77ae815939a4 Update service 43bdbdcc-2d98-419c-ac17-77ae815939a4; spec: /tmp/svcspec_6156niys Get service f4390d9f-ebea-431c-aadd-d77864e7827f Update service f4390d9f-ebea-431c-aadd-d77864e7827f; spec: /tmp/svcspec_4w08ljqp Get service e6c89116-f510-4d0e-843b-e063be5b8a23 Update service e6c89116-f510-4d0e-843b-e063be5b8a23; spec: /tmp/svcspec_o4079b25 Get service 664821f7-b7ef-48ed-803e-4ecd8ff44eae Update service 664821f7-b7ef-48ed-803e-4ecd8ff44eae; spec: /tmp/svcspec_rwp5t973 Get service e6de6c2b-9edf-4145-a43d-0153b1230b62 Update service e6de6c2b-9edf-4145-a43d-0153b1230b62; spec: /tmp/svcspec__4zeyvjm Get service f8b5a505-adcf-4416-a53c-03ae0493c7ea Update service f8b5a505-adcf-4416-a53c-03ae0493c7ea; spec: /tmp/svcspec_hu_3svac Updated 34 service(s) Status : 60% Completed [Reset vpxd-extension Cert…] 2025-06-13T02:09:53.372Z Updating certificate for com.vmware.vim.eam extension2025-06-13T02:09:53.764Z Updating certificate for com.vmware.rbd extension2025-06-13T02:09:54.149Z Updating certificate for com.vmware.imagebuilder extensionReset status : 100% Completed [Reset completed successfully] 至此更新成功 主机证书更新 进入vCenter管理控制台选中过期主机-配置-证书直接更新进行证书续订 选择是
到此已基本完成所有证书更新工作可以看到上面证书的日期已更新原有的证书在下面进行了备份 相关对接系统更新 证书更新后所有更vCenter的对接的相关系统需要重新接受新指纹进行新SSL证书的接受可能涉及的系统包括但不限于 ESXi主机备份产品VeeamNBUCommvault等监控于日志系统:OperationsLogsPrometheus等第三方产品与插件NSXSRMTanzu等其他产品如Horizon安全产品等 Veeam环境中重新在Inventory中编辑vCenter 重新接收新证书完成即可
Operations里在系统管理-集成内重新测试vCenter连接并接受新证书 其他证书相关问题及注意事项 以下整理了可能会用到的更新证书相关的一些问题若以上仍无法正常更新或存在其他问题可进行参考 TIP若运维窗口时间允许在证书相关操作中没完成一步建议进行服务的重启 service-control –stop –all service-control –start –all确认及修改Hostname及PNID PNIDPrimary Network Identifier主网络标识符 是证书配置中的关键参数直接影响服务通信和身份验证按照文档要求在证书操作前需要确保PNID于Hostname保持一致仅限于FQDN部署环境本例IP环境影响不大 以下命令用于检查PNID与Hostname rootphoton-machine [ / ]# /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid –server-name localhost 10.102.102.55rootphoton-machine [ / ]# hostname photon-machine 若存在不一致的情况需要更改PNID或Hostname 以下命令用于修改PNID rootphoton-machine [ / ]# /usr/lib/vmware-vmafd/bin/vmafd-cli set-pnid –server-name localhost –pnid 10.102.102.55Hostname可直接在vc:5480内的网络设置内进行修改根据以往经验存在失败几率建议直接通过CLI进行更新 rootphoton-machine [ / ]# /opt/vmware/share/vami/vami_config_netMain Menu0) Show Current Configuration (scroll with Shift-PgUp/PgDown)

1. Exit this program
2. Default Gateway
3. Hostname
4. DNS
5. Proxy Server
6. IP Address Allocation for eth0 Enter a menu number [0]: 3Warning: if any of the interfaces for this VM use DHCP, the Hostname, DNS, and Gateway parameters will be overwritten by information from the DHCP server.Type Ctrl-C to go back to the Main MenuNew hostname [photon-machine]: 10.102.102.55set_ipv4 DEFULT_INT: eth0 DEFAULT_IPV4: 10.102.102.55 HN: 10 DN: 102.102.55set_ipv6 DEFULT_INT: eth0 DEFAULT_IPV6: HN: 10 DN: 102.102.55 Host name has been set to 10.102.102.55Main Menu0) Show Current Configuration (scroll with Shift-PgUp/PgDown)
7. Exit this program
8. Default Gateway
9. Hostname
10. DNS
11. Proxy Server
12. IP Address Allocation for eth0 Enter a menu number [0]: 1rootphoton-machine [ / ]# hostname 10.102.102.55 完成后再次运行命令检查 使用lsdoctor修复证书 lsdoctor 是 VMware 官方提供的一款诊断和修复工具主要用于解决 vCenter Lookup Service数据库 以及 vCenter 本地数据中的问题。它能够检测和修复因证书错误、拓扑变更、升级失败或维护操作不当导致的各种问题 如果按照前文操作重新签发证书后还是无法正常运行和启动服务器可尝试使用lsdoctor进行修复 同样把工具下载后通过WinSCP扔到tmp目录下进入目录进行解压 root10 [ /tmp ]# unzip lsdoctor-250331.zip Archive: lsdoctor-250331.zip 9382ea0488e19f33a27ce096b84e2ca95c8a9ee2creating: lsdoctor-250331/inflating: lsdoctor-250331/CHANGELOGinflating: lsdoctor-250331/READMEinflating: lsdoctor-250331/config_log.inicreating: lsdoctor-250331/lib/inflating: lsdoctor-250331/lib/init.pyinflating: lsdoctor-250331/lib/lsdoctor_defaults.pyinflating: lsdoctor-250331/lib/lsreport.pyinflating: lsdoctor-250331/lib/lstool_parse.pyinflating: lsdoctor-250331/lib/lstool_scan.pyinflating: lsdoctor-250331/lib/pscha.pyinflating: lsdoctor-250331/lib/rebuild.pyinflating: lsdoctor-250331/lib/solutionusers.pyinflating: lsdoctor-250331/lib/stale.pyinflating: lsdoctor-250331/lib/trust.py 进入目录使用lsdoctor.py -l此选项用于检查查找服务可能存在的问题仅检测不会对业务造成影响 root10 [ /tmp ]# cd lsdoctor-250331 root10 [ /tmp/lsdoctor-250331 ]# root10 [ /tmp/lsdoctor-250331 ]# python lsdoctor.py -lATTENTION: You are running a reporting function. This doesnt make any changes to your environment.You can find the report and logs here: /var/log/vmware/lsdoctor2025-06-15T02:31:07 INFO main: You are reporting on problems found across the SSO domain in the lookup service. This doesnt make changes. 2025-06-15T02:31:07 INFO livecheckCerts: Checking services for trust mismatches… 2025-06-15T02:31:07 INFO generateReport: Listing lookup service problems found in SSO domain 2025-06-15T02:31:07 INFO generateReport: No issues detected in the lookup service entries for 10.102.102.55 (Embedded). 2025-06-15T02:31:07 INFO generateReport: Report generated: /var/log/vmware/lsdoctor/10.102.102.55-2025-06-15-023107.json 若检查中出现error问题运行lsdoctor.py -t进行修复需要提供SSO管理员凭据 root10 [ /tmp/lsdoctor-250331 ]# python lsdoctor.py -tWARNING: This script makes permanent changes. Before running, please take OFFLINE snapshotsof all VCs and PSCs at the SAME TIME. Failure to do so can result in PSC or VC inconsistencies.Logs can be found here: /var/log/vmware/lsdoctor2025-06-15T02:31:31 INFO main: You are checking for and fixing SSL trust mismatches in the local SSO site. NOTE: Please run this script one PSC or VC per SSO site.Have you taken offline (PSCs and VCs powered down at the same time) snapshots of all nodes in the SSO domain or supported backups?[y/n]yProvide password for administratorvsphere.local: 2025-06-15T02:31:37 INFO init: Retrieved services from SSO site: default-site 2025-06-15T02:31:37 INFO findAndFix: Checking services for trust mismatches… 2025-06-15T02:31:37 INFO findAndFix: No mismatches were found 2025-06-15T02:31:37 INFO main: Please restart services on all PSCs and VCs when youre done. 关于lsdoctor的更多问题可参考以下KB https://knowledge.broadcom.com/external/article/320837/using-the-lsdoctor-tool.html%C2%A0 使用vCert工具进行证书更新及维护 在7.0及以上版本VMware推荐使用vCert进行证书管理vCert相当于一个增强版的VMCA管理的维度更为细致同时也提供了VMCA中未包含的一些功能详细使用说明参考KB https://knowledge.broadcom.com/external/article/385107 续订Data-encipherment证书 在之前所有证书更新后Data-encipherment这张证书并未更新这张证书用于SSL数据加密目前碰到的案例中暂时没发现该证书对业务及管理的影响如需要更新参考以下KB https://knowledge.broadcom.com/external/article/312152/replacing-an-expired-dataencipherment-ce.html#:~:textThis%20article%20provides%20steps%20to%20regenerate%20certificate%20in,certificate%20signed%20by%20the%20VMware%20Certificate%20Authority%20%28VMCA%29. 清理老的证书备份 完成所有的证书更新后老的证书会以名称“bkp”备份在VECS中一般不用理会若需要可以使用以上提到的vCert工具进行清理 vCert菜单中选择11进行清除
    总结 证书是任何IT系统隐形的基石就像现实中的护照或营业执照证书是服务身份的唯一可信凭证任何证书的运维及管理都需要提高重视程度永远不要假设“默认配置”适合你教程和文档的“标准流程”可能忽略边缘场景任何操作前先确认环境的特殊性及流程的工作逻辑关于证书的任何操作前做好备份及快照善用日志90%的证书问题会在日志中直接暴露原因提升证书的生命周期管理设置足够的日历提醒等