• About me…

ConfigMgr.nl

VMware, Automation and more

  • About me…

Building a lab – recurring issues

01-02-2020 Solutions VMware No Comments

As I am preparing for an exam (VCAP Network Virtualization Deployment) is started a rebuild of my lab. During this process, I encountered several issues. With this post I keep track of all the issues and solutions. Keep in mind that I try to write them down in the order I experienced the issues, but I cannot give any guarantees.

“No host is compatible with the virtual machine”

After deploying the NSX Manager appliance I could not start the VM. However, the error was very clear. The virtual ESXi hosts I deployed had only 2 CPUs and I needed 4 for the VM. The solution was simple: increase the number of CPUs of the virtual ESXi hosts to 4. After that, I could start the NSX Manager.

“SSL Certificate of STS service could not be verified”

When I configured the NSX Lookup Service URL I got an error telling me that there was something wrong with the certificate of the STS service. A quick search brought me to this site: https://techie.cloud/blog/2019/04/21/issue-setting-up-lookup-service-in-nsx-manager-6.4.4/

The solution was to change the certificate of the STS service. Log in to the vCenter appliance (SSH) and run the following command:

/usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso

This will generate output similar to this:

The characters after SSL Trust: is the certificate that is used. Now open a text editor so you can create the command that you need to run. Start with the following text:

mkdir /certificate
cd /certificate

cat <<'EOF' >> /tmp/old_lookup_cert.cert
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
EOF

Now copy the certificate string and paste it between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.

You would end up with something like this:

mkdir /certificate
cd /certificate

cat <<'EOF' >> /tmp/old_lookup_cert.cert
-----BEGIN CERTIFICATE-----
MIIGCzCCA/OgAwIBAgITIwAAAAdA2h3EY7GLggAAAAAABzANBgkqhkiG9w0BAQsFADAQMQ4
wDAYDVQQDEwVMYWJDQTAeFw0yMDAxMzAxOTAxNDVaFw0yMTAxMzAxOTExNDVaMHAxCzAJBg
NVBAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlQdXJtZXJlbmQxE
DAOBgNVBAoTB0hvbWVsYWIxDDAKBgNVBAsTA0lDVDEVMBMGA1UEAxMMdmMubGFiLmxvY2Fs
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtdVAwu7YgOZHDlE9LqtEfrv1jLO
YqDHXbMfZnq2KFr3jQJLxKTxr48LMEXQKkO9PHRwXlWeJL4XSa20HyokYdNv1w3b8Q7LZdq
grqk9klthFnRe49qKD9JM78zzvtbyItKuvaKmwbU4D6ee3JClncUDA4ae1gz22GXMQ4Pvso
Hy2njyP6oVpB3WPKJuFUG4i340XvhJU+pJLRSKDUs+FU7ru7dkAkzaKGT+Qq7LHx77WphNR
LlvTk4kHzJGyiMhx0lkEBxAjWFN6SRFFG2cKd/Uphk+74anoLbAfsL148GnaK34Afry8NIF
uJLGplUG6g1h54bBma0Nl12oPqE/WnwIDAQABo4IB/DCCAfgwHQYDVR0OBBYEFBKkqNImwT
Dz+2XDUR0256v4vyavMDEGA1UdEQQqMCiBGGplcm9lbi5idXJlbkBvdXRsb29rLmNvbYIMd
mMubGFiLmxvY2FsMB8GA1UdIwQYMBaAFJoRO1YmE+OoHvbcFw3yOFVG7D1HMIG8BgNVHR8E
gbQwgbEwga6ggauggaiGgaVsZGFwOi8vL0NOPUxhYkNBLENOPWRjLENOPUNEUCxDTj1QdWJ
saWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW
xhYixEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc
3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgbUGCCsGAQUFBwEBBIGoMIGlMIGiBggrBgEFBQcw
AoaBlWxkYXA6Ly8vQ049TGFiQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2V
zLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bGFiLERDPWxvY2FsP2NBQ2VydG
lmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MAwGA1UdE
wEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAAtZ/uihddYVwP4jkpQ9JW2739Ag16ouf7qj
ht4GC57V3MMTLCQs5YlwSJta7ChVcMJtcoG28RXKugYOv24uoW/4xfrmL+PiQx5g/mpASke
AlWKE35HIOUuJ32WDEJbOWx7tJFqrNKMnqNI2mnaRV38xGdZVoYvkXxHbOqQnPzaXKSsGm+
NWZM2v/TsU5Sdccbm7Qc1YoG+MVOkcfKwM67byR/mpBAU+oXjL4U+HioEULYNmWmHVyLVD/
FvSLRBLoC0OwW8P4RKecomO4sr0OGvDqN2qhlgV01nv9ZI2u8OHMIh4MHe43UGspN6+XDkV
94QQJj/g0wPbQlkAkM4OjSKjfguMpOfSBaHN8llg1H4jd2SLR54n/UrOc41CHn/Y0IQNr7n
mEiLFqka9JJAL2qA8nYk+/DsNWQDB7g1huxEx+s4hZSrUC5pjv1/tMffSWGGBHfKNQ56eGN
9XCnEZF5hHtECkLxLWEW3es2QLmarS8tKSi9BHn+KmyHmVt9mz8LdUet3OK/+gg7ocFg9Wg
iq8kMjXgKfXYITJCj/0D8eius6MTyChMZAFaqNlQQqTkFCgys4lKcXqWc30kfIrucude4ys
7MKrNW5I9++7g2SfxY4KUU1rlCd7eix+KWgT6m2P+9omtAID3iHHJGQWO9rcuvg3veKEjyg
AqHGZ1aVY
-----END CERTIFICATE-----
EOF

When you run above commands a file is created in the folder /certificate. Now continue by saving the current certificate and by getting the SHA fingerprint of the lookup certificate.

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /certificate/new_machine.cert

openssl x509 -in /certificate/old_lookup_cert.cert -noout -sha1 -fingerprint 

Now you can update the lookup certificate. The script uses the fingerprint that is showed by the previous command and the SSL certificate that is saved as new_machine_cert.cert

cd /usr/lib/vmidentity/tools/scripts/
python ls_update_certs.py --url https://vc.lab.local/lookupservice/sdk --fingerprint FB:22:56:2D:FD:0E:59:DD:36:C3:64:32:DC:E7:7D:62:92:AC:67:29 --certfile /certificate/new_machine.cert --user administrator@vsphere.local --password <your password> 

When the script finishes I rebooted the vCenter appliance and I could configure the lookup service…

“Unable to login because you do not have permission on any vCenter Server systems connect to this client”

After connecting NSX to vCenter I configured SSO. The first step was to join the VCSA to Active Directory and then add the domain as an Identity Source. Pretty basic stuff. After that, I was able to give the AD security group “NSX_Enterprise_Administrators” (which I created) permissions on the vcsa root level. You could give them read-only permissions but hey, this is my lab and everyone can have full control 😉

Now I configured the permissions for NSX. So open the vSphere Web Client (FLEX) and go to Networking & Security, System, Users and Domains. Select the Domains tab and add the Active Directory domain. The last step is to add the AD group to NSX.

Select the Users tab and click on the green + sign. Now select the option “Specify a vCenter group”.

I think that the examples are formatted in a way that would prevent you from logging in with a group member. Enter the group name as <DOMAIN>\<Group name>. So in my case, it would be LAB\NSX_Enterprise_Admins.

The reason for this is that the permissions entry for vCenter is also formatted that way.

Now I could log in with an account that was a member of the NSX_Enterprise_Admins group. I know, NSX permissions should have nothing to do with vCenter permissions but I had some issues… And now I don’t.

“Firefox keeps bugging me about my certificate“

After changing the certificate of the VCSA, Firefox still complains about that certificate.

That is because Firefox uses its own certificate store instead of using the operating system’s certificate store. If you want to instruct Firefox to instead trust what they set up in the Windows certificate store, you can try this:

  • In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.
  • In the search box above the list, type or paste security.enterp
  • Double-click the security.enterprise_roots.enabled preference to switch the value from false to true
certificatensxSTSvCenter

Migrate Cisco Nexus 1000V to VDS with PowerShell - part 2

Migrating ESXi Hosts to Another vCenter Server

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts

  • Testing Script Runtime Service for vSphere – part 2
  • Reporting on your Windows Server backup
  • Testing Script Runtime Service for vSphere – part 1
  • Using ADFS with vCenter 7
  • Network Port Diagram vSphere
  • Joining ESXi hosts to AD using Authentication Proxy in vCenter 7 (updated 04-12-2020)
  • Windows Server 2019 customization issue
  • Packer and WinRM – mystery resolved
  • Using LDAPS with vCenter and AD
  • Backup your homelab… for free!

Archives

Categories

AnyLinq (1) Azure (2) ConfigMgr (8) DIY (4) PowerCli (9) Powershell (10) SCCM (9) Script (12) Solutions (16) System Center (3) VMware (31) vRealize Automation (1) vRealize Orchestrator (1)

Jeroen BurenFollow

Jeroen Buren
jeroen_burenJeroen Buren@jeroen_buren·
23 Feb

Eerlijk gezegd ben ik niet zo opstandig maar dit kan je toch niet volhouden? Gooi wat mij betreft de winkels, sportscholen en restaurants maar open! Ik weet wel op wie ik niet ga stemmen... #persconferentie #klaarmetRutte

Reply on Twitter 1364303792364269568Retweet on Twitter 1364303792364269568Like on Twitter 13643037923642695682Twitter 1364303792364269568
jeroen_burenJeroen Buren@jeroen_buren·
22 Feb

Installed vSphere with K8S using this awesome script (https://github.com/lamw/vghetto-vsphere-with-kubernetes-external-nsxt-automated-lab-deployment) from @lamw. The only thing I could not get running was the yelb demo app... Could it be the NSX-T 3.1 Limited Export edition? #vExpert #NSX

Reply on Twitter 1363884748205142020Retweet on Twitter 1363884748205142020Like on Twitter 1363884748205142020Twitter 1363884748205142020
Retweet on TwitterJeroen Buren Retweeted
Annemiek73Annemiek Meijer@Annemiek73·
16 Jan

Running man kan altijd! Ook tijdens #VVAL2021 @VriendvanAmstel #RunningMan #VVALS

Reply on Twitter 1350537030879608833Retweet on Twitter 13505370308796088332Like on Twitter 135053703087960883326Twitter 1350537030879608833
Retweet on TwitterJeroen Buren Retweeted
PowerCLIVMware PowerCLI@PowerCLI·
11 Jan

Do check out the SRS roadmap here. Feel free to influence the roadmap by submitting your requests. https://github.com/vmware/script-runtime-service-for-vsphere/projects/2 https://twitter.com/PowerCLI/status/1337370157551796225

VMware PowerCLI@PowerCLI

Introduction to Script Runtime Service (SRS) for vSphere https://blogs.vmware.com/PowerCLI/2020/12/introduction-to-script-runtime-service-srs-for-vsphere.html

Reply on Twitter 1348606798492618752Retweet on Twitter 13486067984926187524Like on Twitter 13486067984926187528Twitter 1348606798492618752
jeroen_burenJeroen Buren@jeroen_buren·
7 Jan

New blogpost about Script Runtime Service for vSphere.
https://configmgr.nl/2021/01/07/testing-script-runtime-service-for-vsphere-part-1/

#VMware #vSphere #SRS #PowerCLI

Reply on Twitter 1347191971002118144Retweet on Twitter 1347191971002118144Like on Twitter 1347191971002118144Twitter 1347191971002118144
Load More...
Proudly powered by WordPress | Theme: Doo by ThemeVS.