As I am preparing for an exam (VCAP Network Virtualization Deployment) is started a rebuild of my lab. During this process, I encountered several issues. With this post I keep track of all the issues and solutions. Keep in mind that I try to write them down in the order I experienced the issues, but I cannot give any guarantees.
“No host is compatible with the virtual machine”
After deploying the NSX Manager appliance I could not start the VM. However, the error was very clear. The virtual ESXi hosts I deployed had only 2 CPUs and I needed 4 for the VM. The solution was simple: increase the number of CPUs of the virtual ESXi hosts to 4. After that, I could start the NSX Manager.
“SSL Certificate of STS service could not be verified”
When I configured the NSX Lookup Service URL I got an error telling me that there was something wrong with the certificate of the STS service. A quick search brought me to this site: https://techie.cloud/blog/2019/04/21/issue-setting-up-lookup-service-in-nsx-manager-6.4.4/
The solution was to change the certificate of the STS service. Log in to the vCenter appliance (SSH) and run the following command:
/usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso
This will generate output similar to this:
The characters after SSL Trust: is the certificate that is used. Now open a text editor so you can create the command that you need to run. Start with the following text:
mkdir /certificate cd /certificate cat <<'EOF' >> /tmp/old_lookup_cert.cert -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- EOF
Now copy the certificate string and paste it between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.
You would end up with something like this:
mkdir /certificate cd /certificate cat <<'EOF' >> /tmp/old_lookup_cert.cert -----BEGIN CERTIFICATE----- MIIGCzCCA/OgAwIBAgITIwAAAAdA2h3EY7GLggAAAAAABzANBgkqhkiG9w0BAQsFADAQMQ4 wDAYDVQQDEwVMYWJDQTAeFw0yMDAxMzAxOTAxNDVaFw0yMTAxMzAxOTExNDVaMHAxCzAJBg NVBAYTAk5MMRYwFAYDVQQIEw1Ob29yZC1Ib2xsYW5kMRIwEAYDVQQHEwlQdXJtZXJlbmQxE DAOBgNVBAoTB0hvbWVsYWIxDDAKBgNVBAsTA0lDVDEVMBMGA1UEAxMMdmMubGFiLmxvY2Fs MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtdVAwu7YgOZHDlE9LqtEfrv1jLO YqDHXbMfZnq2KFr3jQJLxKTxr48LMEXQKkO9PHRwXlWeJL4XSa20HyokYdNv1w3b8Q7LZdq grqk9klthFnRe49qKD9JM78zzvtbyItKuvaKmwbU4D6ee3JClncUDA4ae1gz22GXMQ4Pvso Hy2njyP6oVpB3WPKJuFUG4i340XvhJU+pJLRSKDUs+FU7ru7dkAkzaKGT+Qq7LHx77WphNR LlvTk4kHzJGyiMhx0lkEBxAjWFN6SRFFG2cKd/Uphk+74anoLbAfsL148GnaK34Afry8NIF uJLGplUG6g1h54bBma0Nl12oPqE/WnwIDAQABo4IB/DCCAfgwHQYDVR0OBBYEFBKkqNImwT Dz+2XDUR0256v4vyavMDEGA1UdEQQqMCiBGGplcm9lbi5idXJlbkBvdXRsb29rLmNvbYIMd mMubGFiLmxvY2FsMB8GA1UdIwQYMBaAFJoRO1YmE+OoHvbcFw3yOFVG7D1HMIG8BgNVHR8E gbQwgbEwga6ggauggaiGgaVsZGFwOi8vL0NOPUxhYkNBLENOPWRjLENOPUNEUCxDTj1QdWJ saWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPW xhYixEQz1sb2NhbD9jZXJ0aWZpY2F0ZVJldm9jYXRpb25MaXN0P2Jhc2U/b2JqZWN0Q2xhc 3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwgbUGCCsGAQUFBwEBBIGoMIGlMIGiBggrBgEFBQcw AoaBlWxkYXA6Ly8vQ049TGFiQ0EsQ049QUlBLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2V zLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9bGFiLERDPWxvY2FsP2NBQ2VydG lmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MAwGA1UdE wEB/wQCMAAwDQYJKoZIhvcNAQELBQADggIBAAtZ/uihddYVwP4jkpQ9JW2739Ag16ouf7qj ht4GC57V3MMTLCQs5YlwSJta7ChVcMJtcoG28RXKugYOv24uoW/4xfrmL+PiQx5g/mpASke AlWKE35HIOUuJ32WDEJbOWx7tJFqrNKMnqNI2mnaRV38xGdZVoYvkXxHbOqQnPzaXKSsGm+ NWZM2v/TsU5Sdccbm7Qc1YoG+MVOkcfKwM67byR/mpBAU+oXjL4U+HioEULYNmWmHVyLVD/ FvSLRBLoC0OwW8P4RKecomO4sr0OGvDqN2qhlgV01nv9ZI2u8OHMIh4MHe43UGspN6+XDkV 94QQJj/g0wPbQlkAkM4OjSKjfguMpOfSBaHN8llg1H4jd2SLR54n/UrOc41CHn/Y0IQNr7n mEiLFqka9JJAL2qA8nYk+/DsNWQDB7g1huxEx+s4hZSrUC5pjv1/tMffSWGGBHfKNQ56eGN 9XCnEZF5hHtECkLxLWEW3es2QLmarS8tKSi9BHn+KmyHmVt9mz8LdUet3OK/+gg7ocFg9Wg iq8kMjXgKfXYITJCj/0D8eius6MTyChMZAFaqNlQQqTkFCgys4lKcXqWc30kfIrucude4ys 7MKrNW5I9++7g2SfxY4KUU1rlCd7eix+KWgT6m2P+9omtAID3iHHJGQWO9rcuvg3veKEjyg AqHGZ1aVY -----END CERTIFICATE----- EOF
When you run above commands a file is created in the folder /certificate. Now continue by saving the current certificate and by getting the SHA fingerprint of the lookup certificate.
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /certificate/new_machine.cert openssl x509 -in /certificate/old_lookup_cert.cert -noout -sha1 -fingerprint
Now you can update the lookup certificate. The script uses the fingerprint that is showed by the previous command and the SSL certificate that is saved as new_machine_cert.cert
cd /usr/lib/vmidentity/tools/scripts/ python ls_update_certs.py --url https://vc.lab.local/lookupservice/sdk --fingerprint FB:22:56:2D:FD:0E:59:DD:36:C3:64:32:DC:E7:7D:62:92:AC:67:29 --certfile /certificate/new_machine.cert --user firstname.lastname@example.org --password <your password>
When the script finishes I rebooted the vCenter appliance and I could configure the lookup service…
“Unable to login because you do not have permission on any vCenter Server systems connect to this client”
After connecting NSX to vCenter I configured SSO. The first step was to join the VCSA to Active Directory and then add the domain as an Identity Source. Pretty basic stuff. After that, I was able to give the AD security group “NSX_Enterprise_Administrators” (which I created) permissions on the vcsa root level. You could give them read-only permissions but hey, this is my lab and everyone can have full control 😉
Now I configured the permissions for NSX. So open the vSphere Web Client (FLEX) and go to Networking & Security, System, Users and Domains. Select the Domains tab and add the Active Directory domain. The last step is to add the AD group to NSX.
Select the Users tab and click on the green + sign. Now select the option “Specify a vCenter group”.
I think that the examples are formatted in a way that would prevent you from logging in with a group member. Enter the group name as <DOMAIN>\<Group name>. So in my case, it would be LAB\NSX_Enterprise_Admins.
The reason for this is that the permissions entry for vCenter is also formatted that way.
Now I could log in with an account that was a member of the NSX_Enterprise_Admins group. I know, NSX permissions should have nothing to do with vCenter permissions but I had some issues… And now I don’t.