Update: Thanks to Abe's comments and a brand new VMware KB article, there's a more elegant way to update the SSL certificate. You can check out the improved, and officially supported method here. This works for vCenter 4.0 and 4.1.
--
After a significant effort of research and trial and error, it appears I have gotten VMware Update Manager (VUM) 4.0 Update 1 to use SSL certificates generated from an internal Microsoft CA. This completes my quest to replace all SSL certificates that vCenter 4.0 U1 and ESXi 4.0 hosts use. This method is somewhat of a 'hack', but so far everything seems to be working well. I haven't tried this with the gold release of vCenter Update Manager 4.0, so I can't comment if this procedure works or not.
In my scenario I have VUM installed on a separate server from vCenter. This is a recommended best practice in larger environments. But I'd think this method works equally well with vCenter and VUM co-located on the same server. In that case, you should be able to re-use the certificates you generated for your vCenter server since they have the same FQDN.
1. Read my article about vCenter SSL certificate generation.
2. Perform the exact same steps to generate a certificate (steps 1-9) but use the FQDN of the VUM server, if it's on a dedicated server.
3. Find the SSL directory path for Update Manager on your system. In my case it's located at:
D:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL
4. Compress all of the existing files in the SSL directory into a .ZIP for safe keeping.
5. Stop the VMware Update Manager Service.
6. Replace rui.crt, rui.key and rui.pfx with the new certificates.
7. De-Install VUM. Yes, remove it.
8. Re-install VUM using the exact same settings as your first install, and use the existing database.
9. Launch the vSphere client and open the vCenter Server Status window.
10. Verify everything has a green check, including all VMware Update Manager components.
If you see any errors about health service, or get weird login errors when launching the vSphere Client, something is broke. The key to this whole process is de-installing and re-installing VUM. This resets some credentials, the thumbprint in the ADAM instance, and uses the new certificates you installed. VMware should really make this easier!
You should also be able to pre-position the SSL certificates into the proper directory pior to ANY VUM installation, and it will use them. That would avoid a de-install and re-install. Depending on your installation parameters and whether you are x86 or x64, the directory path will vary.
It seems to be very complex task. I have slightly different environment than you: 4 ESX (not ESXi) hosts, fresh 4.0 install, patched using VUM, with vCenter 4. Everything worked fine until I movet the vCenter to another server (different IP and hostname). Since then, I am not able to use VUM, probably resulting in the same certificate mess you had before.
ReplyDeleteNow I upgraded vCenter to ver. 4U1. Hosts are still not at U1 stage because VUM is not working and I would like not to upgrade by booting from CD each host. Do you think I still need to replace all the certificates (on hosts, on vCenter server for vCenter and VUM - they are both on the same machine), or is it possible to simplify the task somehow in this situation ? I am afraid I will break all my cluster down.
Another question: CA on Windows Server 2008 R2 seems to be slightly different - I do not know how to export the issued certificate in other than binary format (base64 is needed for openssl, right ?) There seems to be no such option.
Thanks in advace for comments.
BR,
David
Hi Derek,
ReplyDeleteI wrestling with this one as well and encounter the following error while trying to reinstall Update Manager after removing it:
Error 25113.Setup failed to generate the JRE SSL keys.
Action ended 5:32:30: InstallFinalize. Return value 3.
Does this ring any bells at your end? FWIW, I'm current working with the latest vCenter update 1 bits.
Regards,
Erwin Zoer
Ewrin,
ReplyDeleteI didn't get that error. The de-install, re-install process worked for me but it may be fragile and very system dependent.
Anonymous,
If you moved vCenter to another host and its still using the old certificates, that could certainly cause a problem. I would connect to your vCenter web server and see what SSL certificate it's using. The ADAM database that vCenter uses also stores SSL certificate information and FQDNs of the vCenter and VUM servers. I don't know what the supported method is to migrate vCenter to a different host. If there's not a public VMware document on how to do that, I'd call VMware support.
On my Server 2008 R2 online root CA I can download the base-64 certificates just like on 2003. I haven't used a 2008 (non-R2) CA in a while, so I don't remember if it had a base-64 download option.
Hi Derek,
ReplyDeleteThanks very much you saved me a lot of pain resolving this.
I did have to complete 1 additional step that other readers may find useful and that is:
After reinstalling VUM you need to change VMware Update Manager service to log on as the windows domain account that connects to the database.
Many Thanks
David Pattie
I get the same "Error 25113.Setup failed to generate the JRE SSL keys."
ReplyDeleteTo me this seems to indicate it is trying to make a new rui file set.
Ok, the issue was that the certificate copied into place (rui.crt) had more stuff in front of the ---BEGIN CERTIFICATE---. Virtual Center, which seems to use mostly the openssl libraries, has no problem with it. VUM uses openssl to generate certificates, which gets skipped when the file is already there, but then uses Java keytool to import it into the Java security/cacerts key store. And that fails if the rui.crt has more than ---BEGIN/END CERTIFICATE---
ReplyDeleteI've been having issues even after following all steps mentioned in previous posts. I thought I'd post how I ended up getting this working to hopefully save someone else the trouble I went through.
ReplyDeleteFirst, my environment:
- Four ESXi hosts (ESXi 4.0.0 Build 256968)
- vCenter 4.0 Update 1 (Build 208111)
- VUM 4.0 Update 1
- vCenter is installed on W2K8 SP2 running SQL 2008 SP1
Solution:
1. Disconnect and remove all hosts from vCenter
2. Stop vCenter services.
3. Reset vCenter SQL database password by executing "vpxd.exe -p" from the vCenter installation directory.
4. Restart vCenter services.
5. Follow the procedure outlined in this blog to replace VUM SSL certificates.
5. Add hosts back to vCenter.
After seeing an internal vmware KB and modifying it a bit, here's how I got it to work without reinstalling:
ReplyDeleteConfigure vCenter Update Manager to use CA Issued SSL Certs on the vCenter Server for VUM
I have VMware installed to the D:\ modify to your needs:
Backup D:\VMware\Infrastructure\Update Manager\SSL to \Backup
Stop VMware vCenter Update Manager Service
Previously I created the certificate files with Open SSL as described above
Copy the rui.key, rui.crt and rui.pfx from C:\ProgramData\VMware\VMware VirtualCenter\SSL to D:\VMware\Infrastructure\Update Manager\SSL
Run the following commands from D:\VMware\Infrastructure\Update Manager\SSL using the local admin account and standard password
vciInstallUtils.exe -v localhost -p 80 -U admin -P -C "D:\VMware\Infrastructure\Update Manager" -L "C:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manager\Logs" -I "D:\VMware\Infrastructure\Update Manager" --op install-keystore
~If the import is successful, the message Import and generation of certificate worked, install-keystore successful appears.
vciInstallUtils.exe -v localhost -p 80 -U admin -P -S "D:\VMware\Infrastructure\Update Manager\extension.xml" -C "D:\VMware\Infrastructure\Update Manager" -L "C:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manager\Logs" --op extupdate
~If the operation completes successfully, the message The extension registration succeeded appears.
Start the VMware vCenter Update Manager Service.
Verify VUM Service Status
Close the vSphere Client if its open.
Reopen and connect to the vCenter Server.
Check that the VMware Update Manager Service shows up green on the Home\Administration\vCenter Service Status page in the vSphere Client
~ AbeS
Abe,
ReplyDeleteThanks for the detailed information! When I have time I'll try out your steps in my lab. VMware said with 4.1 U1 they should be publishing a supported method to the public.
The certificate files that I had previously installed were for vCenter. I just noticed this blog didn't have it, but I'm sure you have another post that does. The -P in the commands should have a password entry behind them.
ReplyDeleteTo import certificates, run a command with the following syntax:
ReplyDeletei. vciInstallUtils.exe -v -p -U -P -C -L -I --op install-keystore
I had this same issue when trying to run an upgrade install from VUM from VC 4.1 U1 to U2.
ReplyDeleteWhat worked for me is to wait until you get the "press next to complete the upgrade" and then stopping the VMware vCenter Update Manager Service. Then the upgrade install completed successfully.
Stopping te VMware vCenter Update Manager service while upgrading did the trick for me too!!
ReplyDeleteThanks!!
For me too
ReplyDeleteand me...
Delete