Remove expired root certificates from a vCenter Server the easy way

I see a lot of vCenter Servers that have expired root certificates. In the vCenter Server Appliance Administration section under Certificate Management, you can see the expired certificates.

Cleaning up expired root certificates from the vCenter Server can be done by using the “vecs-cli” command on the vCenter Server Appliance (In the vSphere Client this is not possible). This involves multiple steps (VMware KB). An easy way to clean up expired root certificates is by using PowerCLI and following the steps below:

  • Make sure that PowerCLI is installed. If not use the following command in PowerShell to install PowerCLI:
Install-Module VMware.PowerCLI -Scope CurrentUser -Force -SkipPublisherCheck -AllowClobber
  • Connect to the vCenter Server
Connect-VIServer "VCENTER-FQDN"
  • List the expired root certificate
Get-VITrustedCertificate -vCenterOnly | Where-Object { $_.NotValidAfter -lt (Get-Date) }
  • Remove the expired root certificate
Get-VITrustedCertificate -vCenterOnly | Where-Object { $_.NotValidAfter -lt (Get-Date) } | Remove-VITrustedCertificate

With the latest PowerCLI oneliner, all the expired root certificates are removed from the VCSA. This is less complex than using the “vecs-cli” command.

Patch a vCenter Server High Availability (VCHA) environment

Last week I tried to patch a vCenter Server High Availability (VCHA) 7 cluster environment. I read the documentation and the procedure described looks still the same as in version 6.x. First patch the witness node, then the passive node, failover the active node, and patch the passive node using the software-packages tool. The whole process is described in this link.

When I tried to stage the ISO on the witness node the following error occurred:

You can not patch a vCenter Server appliance in a vCenter HA cluster. resolution: You must remove the vCenter HA configuration, apply patches to vCenter Server appliance, and then reconfigure your vCenter HA deployment.

So I removed the vCenter Server HA cluster configuration and patched the single vCenter Server Appliance.

After the patching of the single VCSA, I redeployed the VCHA cluster again.

Conclusion: The vCenter Server HA cluster documentation still has the VCHA 6 update procedure documented that does not work anymore. I will update this blog article if there is more information available.

Adding a static route to a vCenter Server with multiple Network Interface Cards (NICs)

For a Disaster Recovery (DR) site, I designed a separate isolated VMware Horizon environment. The vCenter Server has an external (eth0) and internal (eth1) IP address. The external connection is for management and restoring production VMs to the DR environment. The internal connection is for Horizon infrastructure components that need access to the vCenter Server such as a VMware Horizon Server and VMware App Volumes. This looks simplified as follows:

There must be a static route to the Horizon subnet because the Horizon Connection Servers and VMware App Volumes integrate with the vCenter Server.

Here are the steps outlined to create such an environment:

  • The first thing after deploying a new vCenter Server is adding an extra NIC (VMXNET3). The steps are explained in the following article: KB2147155
  • Add the NIC to the correct internal PortGroup
  • Open the VAMI interface (https://<IP_Address>:5480) of the vCenter Server and add the IP configuration of eth1 (NIC1).

  • Enable SSH in the VAMI interface (Access – Edit – Enable SSH login)
  • Make an SSH session to vCenter Server and log in with root and the correct password
  • Enter “shell” to launch the BASH shell
  • Browse to the following location:
cd /etc/systemd/network
  • There are two files available (10-eth0.network and 10-eth1.network). The 10-eth0.network represents eth0 and looks like:
[Match]
Name=eth0

[Network]
Gateway=10.2.145.249
Address=10.2.145.202/24
DHCP=no

[DHCP]
UseDNS=false
  • The 10-eth1.network file represents eth1 and looks like this.
[Match]
Name=eth1
[Network]
Address=192.168.0.102/24
DHCP=no
[DHCP]
UseDNS=false
  • Add a static route by adding the [Route] section of this file.
[Match]
Name=eth1
[Network]
Address=192.168.0.102/24
DHCP=no
[DHCP]
UseDNS=false

[Route]
Gateway=192.168.0.1
Destination=10.21.9.0/24
  • Restart the network services
systemctl restart systemd-networkd.service
  • Check if the route is added with the route -n command:
root@vcdr01 [ /etc/systemd/network ]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.2.145.249 0.0.0.0 UG 0 0 0 eth0
10.2.145.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.21.9.0 192.168.0.1 255.255.255.0 UG 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
  • Test with the ping command from the vCenter Server if you can reach the Horizon infra components in the subnet.