Building a lab – recurring issues

As I am preparing for an exam (VCAP Network Virtualization Deployment) is started a rebuild of my lab. During this process, I encountered several issues. With this post I keep track of all the issues and solutions. Keep in mind that I try to write them down in the order I experienced the issues, but I cannot give any guarantees.

“No host is compatible with the virtual machine”

After deploying the NSX Manager appliance I could not start the VM. However, the error was very clear. The virtual ESXi hosts I deployed had only 2 CPUs and I needed 4 for the VM. The solution was simple: increase the number of CPUs of the virtual ESXi hosts to 4. After that, I could start the NSX Manager.

“SSL Certificate of STS service could not be verified”

When I configured the NSX Lookup Service URL I got an error telling me that there was something wrong with the certificate of the STS service. A quick search brought me to this site: https://techie.cloud/blog/2019/04/21/issue-setting-up-lookup-service-in-nsx-manager-6.4.4/

The solution was to change the certificate of the STS service. Log in to the vCenter appliance (SSH) and run the following command:

/usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso

This will generate output similar to this:

The characters after SSL Trust: is the certificate that is used. Now open a text editor so you can create the command that you need to run. Start with the following text:

mkdir /certificate
cd /certificate

cat <<'EOF' >> /tmp/old_lookup_cert.cert
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
EOF

Now copy the certificate string and paste it between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.

You would end up with something like this:

mkdir /certificate
cd /certificate

cat <<'EOF' >> /tmp/old_lookup_cert.cert
-----BEGIN CERTIFICATE-----
MIIGCzCCA/OgAwIBAgITIwAAAAdA2h3EY7GLggAAAAAABzANBgkqhkiG9w0BAQsFADAQMQ4
wDAYDVQQDEwVMYWJDQTAeFw0yMDAxMzAxOTAxNDVaFw0yMTAxMzAxOTExNDVaMHAxCzAJBg
NVBAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlQdXJtZXJlbmQxE
DAOBgNVBAoTB0hvbWVsYWIxDDAKBgNVBAsTA0lDVDEVMBMGA1UEAxMMdmMubGFiLmxvY2Fs
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtdVAwu7YgOZHDlE9LqtEfrv1jLO
YqDHXbMfZnq2KFr3jQJLxKTxr48LMEXQKkO9PHRwXlWeJL4XSa20HyokYdNv1w3b8Q7LZdq
grqk9klthFnRe49qKD9JM78zzvtbyItKuvaKmwbU4D6ee3JClncUDA4ae1gz22GXMQ4Pvso
Hy2njyP6oVpB3WPKJuFUG4i340XvhJU+pJLRSKDUs+FU7ru7dkAkzaKGT+Qq7LHx77WphNR
LlvTk4kHzJGyiMhx0lkEBxAjWFN6SRFFG2cKd/Uphk+74anoLbAfsL148GnaK34Afry8NIF
uJLGplUG6g1h54bBma0Nl12oPqE/WnwIDAQABo4IB/DCCAfgwHQYDVR0OBBYEFBKkqNImwT
Dz+2XDUR0256v4vyavMDEGA1UdEQQqMCiBGGplcm9lbi5idXJlbkBvdXRsb29rLmNvbYIMd
mMubGFiLmxvY2FsMB8GA1UdIwQYMBaAFJoRO1YmE+OoHvbcFw3yOFVG7D1HMIG8BgNVHR8E
gbQwgbEwga6ggauggaiGgaVsZGFwOi8vL0NOPUxhYkNBLENOPWRjLENOPUNEUCxDTj1QdWJ
saWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW
xhYixEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc
3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgbUGCCsGAQUFBwEBBIGoMIGlMIGiBggrBgEFBQcw
AoaBlWxkYXA6Ly8vQ049TGFiQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2V
zLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bGFiLERDPWxvY2FsP2NBQ2VydG
lmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MAwGA1UdE
wEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAAtZ/uihddYVwP4jkpQ9JW2739Ag16ouf7qj
ht4GC57V3MMTLCQs5YlwSJta7ChVcMJtcoG28RXKugYOv24uoW/4xfrmL+PiQx5g/mpASke
AlWKE35HIOUuJ32WDEJbOWx7tJFqrNKMnqNI2mnaRV38xGdZVoYvkXxHbOqQnPzaXKSsGm+
NWZM2v/TsU5Sdccbm7Qc1YoG+MVOkcfKwM67byR/mpBAU+oXjL4U+HioEULYNmWmHVyLVD/
FvSLRBLoC0OwW8P4RKecomO4sr0OGvDqN2qhlgV01nv9ZI2u8OHMIh4MHe43UGspN6+XDkV
94QQJj/g0wPbQlkAkM4OjSKjfguMpOfSBaHN8llg1H4jd2SLR54n/UrOc41CHn/Y0IQNr7n
mEiLFqka9JJAL2qA8nYk+/DsNWQDB7g1huxEx+s4hZSrUC5pjv1/tMffSWGGBHfKNQ56eGN
9XCnEZF5hHtECkLxLWEW3es2QLmarS8tKSi9BHn+KmyHmVt9mz8LdUet3OK/+gg7ocFg9Wg
iq8kMjXgKfXYITJCj/0D8eius6MTyChMZAFaqNlQQqTkFCgys4lKcXqWc30kfIrucude4ys
7MKrNW5I9++7g2SfxY4KUU1rlCd7eix+KWgT6m2P+9omtAID3iHHJGQWO9rcuvg3veKEjyg
AqHGZ1aVY
-----END CERTIFICATE-----
EOF

When you run above commands a file is created in the folder /certificate. Now continue by saving the current certificate and by getting the SHA fingerprint of the lookup certificate.

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /certificate/new_machine.cert

openssl x509 -in /certificate/old_lookup_cert.cert -noout -sha1 -fingerprint 

Now you can update the lookup certificate. The script uses the fingerprint that is showed by the previous command and the SSL certificate that is saved as new_machine_cert.cert

cd /usr/lib/vmidentity/tools/scripts/
python ls_update_certs.py --url https://vc.lab.local/lookupservice/sdk --fingerprint FB:22:56:2D:FD:0E:59:DD:36:C3:64:32:DC:E7:7D:62:92:AC:67:29 --certfile /certificate/new_machine.cert --user administrator@vsphere.local --password <your password> 

When the script finishes I rebooted the vCenter appliance and I could configure the lookup service…

“Unable to login because you do not have permission on any vCenter Server systems connect to this client”

After connecting NSX to vCenter I configured SSO. The first step was to join the VCSA to Active Directory and then add the domain as an Identity Source. Pretty basic stuff. After that, I was able to give the AD security group “NSX_Enterprise_Administrators” (which I created) permissions on the vcsa root level. You could give them read-only permissions but hey, this is my lab and everyone can have full control 😉

Now I configured the permissions for NSX. So open the vSphere Web Client (FLEX) and go to Networking & Security, System, Users and Domains. Select the Domains tab and add the Active Directory domain. The last step is to add the AD group to NSX.

Select the Users tab and click on the green + sign. Now select the option “Specify a vCenter group”.

I think that the examples are formatted in a way that would prevent you from logging in with a group member. Enter the group name as <DOMAIN>\<Group name>. So in my case, it would be LAB\NSX_Enterprise_Admins.

The reason for this is that the permissions entry for vCenter is also formatted that way.

Now I could log in with an account that was a member of the NSX_Enterprise_Admins group. I know, NSX permissions should have nothing to do with vCenter permissions but I had some issues… And now I don’t.