Skip to content

Category: VMware

Access vCenter by SCP (WinSCP)

 

To be able to access the vCenter with WinSCP it is necessary to change the default shell to Bash

  1. Initiate an SSH connection to the vCenter Server Appliance.
  2. Provide the root user user name and password when prompted.
  3. Run the following command to enable the Bash shell:shell.set –enable True
  4. Run the following command to access the Bash shell:shell
  5. In the Bash shell, run the following command to change the default shell to Bash:chsh -s “/bin/bash” root
  6. Use WinSCP to upload the certificate files to the vCenter Server Appliance.
  7. Return to the Appliance Shell by running the following command:chsh -s /bin/appliancesh root 

     

    For more information:
    https://kb.vmware.com/s/article/2107727

vCenter 7 /storage/core full

Partition /core becomes full due to too many files, following the commands you needed to delete those files.

cd /storage/core/
rm core.in\:imfile.*

You can use this command to check free space
df -h

For more information:
https://kb.vmware.com/s/article/81327

Downloading RPM vsphere-ui-7.0.3.00300-9405520.noarch.rpm

To check if you need run the KB https://kb.vmware.com/s/article/87274

Open a SSH and run the command

openssl dgst -verify /var/vmware/applmgmt/fileintegrity/pub.key -signature /var/vmware/applmgmt/fileintegrity/fileintegrity_config.sig /etc/vmware/appliance/fileintegrity_config.json

If the result is Verification Failure, Follow the steps:

  • Login to VCSA through ssh using putty.
  • Download the script generate_signature.py from the attachment section to in the article.
  • Upload the script to the VCSA ” root directory” using WINSCP

Note: If you faced an error while trying to login to VCSA through WINSCP , please run the below command on VCSA (SSH):
# chsh -s /bin/bash root

  • Run the script using the command:

# python generate_signature.py

  • Run the command:

# openssl dgst -verify /var/vmware/applmgmt/fileintegrity/pub.key -signature /var/vmware/applmgmt/fileintegrity/fileintegrity_config.sig /etc/vmware/appliance/fileintegrity_config.json

This should return a “Verified OK” response.

  • Run the following commands:

service-control –stop applmgmt
rm -rf /storage/core/software-update/*
rm -rf /storage/db/patching.db
mv /storage/core/software-packages/staged-configuration.json /storage/core
mv /etc/applmgmt/appliance/software_update_state.conf /storage/core
service-control –start applmgmt

  • Retry the update.

Cannot download VIB: ”. This might be because of network issues or the specified VIB does NOT exist or does NOT have a proper ‘read’ privilege set. Please make sure the specified VIB exists and is accessible from vCenter

 

Unable to patch ESXi host. keep getting the following error:
Cannot download VIB: ”. This might be because of network issues or the specified VIB does NOT exist or does NOT have a proper ‘read’ privilege set. Please make sure the specified VIB exists and is accessible from vCenter

This issue resolves by resetting vum database and retry the updates. I would advise you to take a snapshot of the vCSA before going through this procedure.

The process to reset the database is:

Connect to vCSA via SSH

Run the shell command to switch to the BASH Shell:

shell

Stop the VMware Update Manager Service:

service-control –stop vmware-updatemgr

Run the following command to reset the VMware Update Manager Database:

/usr/lib/vmware-updatemgr/bin/updatemgr-utility.py reset-db

Run the following Command to delete the contents of the VMware Update Manager Patch Store:

rm -rf /storage/updatemgr/patch-store/*

Start the VMware Update Manager Service:

service-control –start vmware-updatemgr

Note: You may need to log out and log back into any instances of the vSphere Web Client.

Note: For vSAN environments this will also remove the vSAN default baselines. These baselines are recreated automatically when there is a configuration change to vSAN such as add/remove a host/disk or an update to the HCL DB. You can still safely update a vSAN cluster without the vSAN default baselines.

After the succesfull reset of the database, you should be able to scan, and apply critical and non-critical patches

Unable to Add ESXi Host to vCenter 6.7

When we try to add an ESXi Host to vCenter we get the following error “A general system error occurred: Unable to push CA certificates and CRLs to host XXXXXXX”

Modify the advanced configuration “Config.HostAgent.ssl.keyStore.allowSelfSigned” introduced in ESXi 6.7 Update 3 to ignore the Self Signed Certificates. 

Connect to the ESXi using Host Client
Select Manage Tab
Select Advanced Settings
Locate the option “Config.HostAgent.ssl.keyStore.allowSelfSigned”
Edit the value from false to true

Reboot the ESXi host.
Retry adding the ESXi host to vCenter Server or certificate renew operation

Alarm – Certificate expired

Sometimes we have an expired certificate error in vCenter, but in reality, the certificates are all valid, it’s time to clear BACKUP_STORE.

Sometimes we receive alerts of expired certificates and they will check and all of them are correct, it’s time to check the backup store.

1- Check Certificates

/usr/lib/vmware-vmafd/bin/vecs-cli entry list –store BACKUP_STORE –text

2- Backup certificate

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store BACKUP_STORE –alias bkp_vpxd-extension –output /certificates/bkp_vpxd-extension.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store BACKUP_STORE –alias bkp_vpxd –output /certificates/bkp_vpxd.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store BACKUP_STORE –alias bkp_vsphere-webclient –output /certificates/bkp_vsphere-webclient.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store BACKUP_STORE –alias bkp_machine –output /certificates/bkp_machine.crt

/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store BACKUP_STORE –alias bkp___MACHINE_CERT –output /certificates/bkp___MACHINE_CERT.crt

3- Delete Certificates

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store BACKUP_STORE –alias bkp_vpxd-extension -y

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store BACKUP_STORE –alias bkp_vpxd -y

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store BACKUP_STORE –alias bkp_vsphere-webclient -y

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store BACKUP_STORE –alias bkp_machine -y

/usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store BACKUP_STORE –alias bkp___MACHINE_CERT -y

VMware created a script to help at https://kb.vmware.com/s/article/82560

All 7.0u3 versions have been pulled.

VMware decided to remove all versions of vSphere ESXi U3 from our online and offline downloads portals.

This was due to some critical issues that were identified on the vSphere 7.0 U3 GA release, leading to two express patches.

After further review, additional resolution complexities have come to light, and VMware has now removed all versions to prevent any further impact on their customers.

This can be checked in the public FAQ at: https://kb.vmware.com/s/article/86398

This FAQ goes into more detail and also gives guidance for those who have already updated in any form.

VCSA – Certificate Status Alert triggered

Sometimes we receive alerts of expired certificates and they will check and all of them are correct, it’s time to check the backup store.

Follow the procedure:

1- Check Certificates
/usr/lib/vmware-vmafd/bin/vecs-cli entry list –store BACKUP_STORE –text

2- Backup certificate
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store BACKUP_STORE –alias bkp_vpxd-extension –output /certificates/bkp_vpxd-extension.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store BACKUP_STORE –alias bkp_vpxd –output /certificates/bkp_vpxd.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store BACKUP_STORE –alias bkp_vsphere-webclient –output /certificates/bkp_vsphere-webclient.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store BACKUP_STORE –alias bkp_machine –output /certificates/bkp_machine.crt
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert –store BACKUP_STORE –alias bkp___MACHINE_CERT –output /certificates/bkp___MACHINE_CERT.crt

3- Delete Certificates
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store BACKUP_STORE –alias bkp_vpxd-extension -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store BACKUP_STORE –alias bkp_vpxd -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store BACKUP_STORE –alias bkp_vsphere-webclient -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store BACKUP_STORE –alias bkp_machine -y
/usr/lib/vmware-vmafd/bin/vecs-cli entry delete –store BACKUP_STORE –alias bkp___MACHINE_CERT -y

VMware created a script to help at https://kb.vmware.com/s/article/82560