Remove expired root certificates from a vCenter Server the easy way

I see a lot of vCenter Servers that have expired root certificates. In the vCenter Server Appliance Administration section under Certificate Management, you can see the expired certificates.

Cleaning up expired root certificates from the vCenter Server can be done by using the “vecs-cli” command on the vCenter Server Appliance (In the vSphere Client this is not possible). This involves multiple steps (VMware KB). An easy way to clean up expired root certificates is by using PowerCLI and following the steps below:

  • Make sure that PowerCLI is installed. If not use the following command in PowerShell to install PowerCLI:
Install-Module VMware.PowerCLI -Scope CurrentUser -Force -SkipPublisherCheck -AllowClobber
  • Connect to the vCenter Server
Connect-VIServer "VCENTER-FQDN"
  • List the expired root certificate
Get-VITrustedCertificate -vCenterOnly | Where-Object { $_.NotValidAfter -lt (Get-Date) }
  • Remove the expired root certificate
Get-VITrustedCertificate -vCenterOnly | Where-Object { $_.NotValidAfter -lt (Get-Date) } | Remove-VITrustedCertificate

With the latest PowerCLI oneliner, all the expired root certificates are removed from the VCSA. This is less complex than using the “vecs-cli” command.

Blue circle in the vSphere client after upgrading to vCenter Server 6.7 Update 2

After upgrading the vCenter Server Appliance (VCSA) to version 6.7 Update 2, I tried to log in using the vSphere Client. After entering the credentials an endless blue running circle appears.

In the VAMI interface (https://vcsa-fqdn:5480) of the VCSA, the health statistics of all the components are green (okay) so I decided to reboot the VCSA.

After the VCSA reboot I encountered the same blue running circle when trying to log in using the vSphere Client. I tried Firefox and Google and the Internet Explorer browser. The only browser that worked was Internet Explorer. I never used  Internet Explorer before so I tried to clear the cache of Google Chrome and Firefox using the following methods:

Clear cache, cookies and history of Google Chrome:

  • Open Chrome.
  • At the top right, click More More
  • Click More tools and then Clear browsing data
  • Time range: All time
  • Select Browser history, cookies and cache images and files
  • Click Clear data

Clear cache and cookies of Firefox browser:

  • Open firefox
  • In the address bar enter: about:preferences
  • Click Privacy & Security
  • Under Cookies and Site Data select Clear Data
  • Check Cookies and Site Data and Cached Web Content
  • Click Clear and select Clear Now

After clearing the cache I was able to log in using the vSphere Client without the endless blue circle. So make sure to clear the cache of the browser(s) when experiencing the circle problem.

vCenter Server Appliance (vCSA) automated/unattended deployment

Installing the vCenter Server Aplliance (vCSA) automatically using an unattended scripted deployment can be done by command line (CLI) in combination with a JSON config file.  In this example an embedded vCenter Server Appliance with the Platform Service Controller (PSC) and vCenter Server role will be deployed.

Prerequisites:

  • This example is based on a Windows Operating System. Using a Linux or MAC OS is also possible but not highlighted in this blog.
  • Make sure the FQDN of the vCSA is resolvable by a DNS server and check if reverse lookup works.

Steps to perform:

  • Download the vCenter Server Appiance (VCSA) ISO (version 6.5 or 6.7)
  • Mount the ISO
  • The CLI installer for Windows requires a Microsoft Visual C++ Redistributable version 14.0. This requirement can be checked with the following command:
\vcsa-cli-installer\win32\check_windows_vc_redist.bat
  • Navigate to the JSON templates. The vCSA ISO contains template JSON files that can be used for deploying the vCSA. The templates can be found on the ISO in the following map:
 \vcsa-cli-installer\templates\install

The types of templates are avalable:

           embedded_vCSA_on_*.json: Platform Services Controller (PSC) and vCSA
                                     together on one system
            PSC_on_*.json:           Only a PSC
            vCSA_on_*.json:          Only a vCSA
            *_on_ESXi.json:          Install onto the ESXi host specified in the JSON
                                     file
            *_on_VC.json:            Install onto a host managed by the vCenter
                                     instance specified in the JSON file
  • Edit a template “embedded_vCSA_on_ESXi.json or use the example below with you’re favorite editor (I use Notepad ++) and save it to a writable location (in the CLI syntax you need to point to this modified JSON file). The template contains the minimal parameters needed to deploy the embedded vCSA. The vCSA will deployed as tiny (2 vCPU, 10 GB memory, 300 GB storage). An overview of all parameters that can be used are found here, link.

Example JSON file to deploy an embedded vCenter Server Appliance with the PSC and vCenter components:

{
    "__version": "2.13.0",
    "__comments": "Sample template to deploy a vCenter Server Appliance with an embedded Platform Services Controller on an ESXi host.",
    "new_vcsa": {
        "esxi": {
            "hostname": "192.168.11.10",
            "username": "root",
            "password": "VMwaaare01!",
            "deployment_network": "vlan13-srv",
            "datastore": "SSD-M2-01"
        },
        "appliance": {
            "__comments": [
                "You must provide the 'deployment_option' key with a value, which will affect the VCSA's configuration parameters, such as the VCSA's number of vCPUs, the memory size, the storage size, and the maximum numbers of ESXi hosts and VMs which can be managed. For a list of acceptable values, run the supported deployment sizes help, i.e. vcsa-deploy --supported-deployment-sizes"
            ],
            "thin_disk_mode": true,
            "deployment_option": "tiny",
            "name": "vcsa03.lab.local"
        },
        "network": {
            "ip_family": "ipv4",
            "mode": "static",
            "ip": "192.168.13.13",
            "dns_servers": [
                "192.168.13.101"
            ],
            "prefix": "24",
            "gateway": "192.168.13.254",
            "system_name": "vcsa03.lab.local"
        },
        "os": {
            "password": "VMware01!",
            "ntp_servers": "pool.ntp.org",
            "ssh_enable": true
        },
        "sso": {
            "password": "VMware01!",
            "domain_name": "vsphere.local"
        }
    },
    "ceip": {
        "description": {
            "__comments": [
                "++++VMware Customer Experience Improvement Program (CEIP)++++",
                "VMware's Customer Experience Improvement Program (CEIP) ",
                "provides VMware with information that enables VMware to ",
                "improve its products and services, to fix problems, ",
                "and to advise you on how best to deploy and use our ",
                "products. As part of CEIP, VMware collects technical ",
                "information about your organization's use of VMware ",
                "products and services on a regular basis in association ",
                "with your organization's VMware license key(s). This ",
                "information does not personally identify any individual. ",
                "",
                "Additional information regarding the data collected ",
                "through CEIP and the purposes for which it is used by ",
                "VMware is set forth in the Trust & Assurance Center at ",
                "http://www.vmware.com/trustvmware/ceip.html . If you ",
                "prefer not to participate in VMware's CEIP for this ",
                "product, you should disable CEIP by setting ",
                "'ceip_enabled': false. You may join or leave VMware's ",
                "CEIP for this product at any time. Please confirm your ",
                "acknowledgement by passing in the parameter ",
                "--acknowledge-ceip in the command line.",
                "++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
            ]
        },
        "settings": {
            "ceip_enabled": true
        }
    }
}

The first deployments failed when using the FQDN ESXi hostname in the JSON file, with the following error:

OVF Tool: Transfer Failed

OVF Tool: Error: Failed to send http data

Deployment failed. OVF Tool return error code: 1

I checked the logs but didn’t find any clue. The FQDN of the ESXi host was revolvable by DNS but after changing the ESXi FQDN to the IP address of the ESXi  host in the JSON file the deployment finished without errors.

  • Perform a template JSON verification without installing:
vcsa-deploy install --accept-eula --verify-template-only <JSON file path>
  • Perform the actually deployment
vcsa-deploy.exe install --accept-eula --acknowledge-ceip --terse --no-ssl-certificate-verification <JSON file path>

When the unattended deployment finished, an embedded vCenter Server Appliance with the Platform Service Controller (PSC) and vCenter Server role is ready to rumble.

I created a GitHub repository for the deployment and parameters, link.

VMware documentation about the CLI deployment can be found here, link.