vCenter 5.5 to 6.5U1 Upgrade – SSL Errors

Posted by & filed under Server Admin, Virtualization, VMWare.

Ran into some issues with the ssl certs on the vCenter server when trying to run the Migration Assistant. Notes on the will follow, but first links to articles on the actual upgrade:

The issues I ran into with the migration assistant complained of the SSL certs not matching. Upon inspecting the certs I found all were issues for domain.lan except for one which was issued to domain.net. I followed the following articles to generate a new vCenter cert and install it:

  • Generate SSL cert using openssl: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2074942
  • Install and activate cert: https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2061973

As the Appliance Installed reached Stage 2 of the install where it copies the data to the new VCSA, I received the following error (note the yellow warning in the background along with the details in the foreground):

To resolve this error, I followed the following articles:

  • Upgrading to VMware vCenter 6.0 fails with the error: Error attempting Backup PBM Please check Insvc upgrade logs for details (2127574): https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2127574
  • Resetting the VMware vCenter Server 5.x Inventory Service database (2042200): https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2042200#3

Which essentially had me reset the inventory service’s database due to corruption. I had noticed the vSphere client slow in recent weeks, this could be a side effect.

  • Additional more generic docs for tshooting vCenter upgrades: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2106760

 

Tomcat 7 SSL – Swapping a Cert out in the keystore

Posted by & filed under Server Admin.

I have a PKCS12 .pfx export of a cert that I need to import into a Tomcat keystore in order to update an expiring certificate.

 

Need to know a few things beforehand:

  • Tomcat keyfile path
  • Source store password for the pfx file
  • Source alias for the pfx
  • Dest source passwd
  • Dest source alias
keytool -importkeystore -srckeystore wildcard_2016.pfx -srcstoretype pkcs12 -srcstorepass changeit -srcalias 4b84576db-35ca-8dc45b92a -destkeystore C:\ibi\ssl\.keystore -deststoretype jks -deststorepass changeit! -destalias tomcat

In order to get the source alias from the new pfx file:

keytool -v -list -storetype pkcs12 -keystore wildcard_2016.pfx > output.txt

If you need to get the alias from the existing Tomcat keystore:

keytool -list -v -keystore C:\ssl\.keystore > tomcatkeystore.txt

Additionally, the above command can be used to verify the certificate, expiry date, etc.

Lastly, if you restart Tomcat and it throws errors like the following in the catalina log, you may need to reset the keystore password:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio-443"]
java.security.UnrecoverableKeyException: Cannot recover key
...more stack trace here...

Reset to the correct password as defined in the servver.xml keyStorePass parameter using the following command. You may need to adjust alias to your needs. You will be prompted for the new password, which should match the previously mentioned keyStorePass parameter.

keytool -keypasswd -new changeit -keystore C:\ssl\.keystore -storepass changeit -alias tomcat

You can also reset the password for the keystore itself (www.ibm.com/support/knowledgecenter/en/S…):

PS C:\> .\keytool.exe -keypasswd -new REDACTED -keystore C:\.keystore -alias tomcat

 

 

EDIT FROM THE FUTURE:

Additional note — when trying to run the import command I was getting the following error:

Existing entry alias 2 exists, overwrite? [no]:  yes
keytool error: java.lang.Exception: Alias <2> does not exist

I ran the following to verify the alias is correct:

PS C:\> .\keytool.exe -list -keystore C:\server2017.pfx -storetype pkcs12        
Enter keystore password: 

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

2, Mar 13, 2017, PrivateKeyEntry,
Certificate fingerprint (MD5): RE:DA:CT:ED:DE:AD:BE:EF

Key ID of 2 is displayed correctly here as well as a more verbose output also showed the same:

.\keytool.exe -list -v -keystore C:\server_2017.pfx

I then took the same .pfx file and checked it on a linux machine based on a hint from this stackoverflow on binary chars: http://stackoverflow.com/questions/15301005/keytool-cant-find-alias

nate@beef:~/$ keytool -list -keystore server2017.pfx -storetype pkcs12
Enter keystore password:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

1, Mar 13, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): RE:DA:CT:ED:DE:AD:BE:EF

And lo’ and behold it shows the alias is actually 1!

 

..Back in Windows land:

PS C:\> ./keytool -importkeystore -srckeystore C:\server2017.pfx -srcstoretype pkcs12 -srcstor
epass REDACTED -srcalias 1 -destkeystore C:\.keystore -deststoretype jks -deststorepass REDACTED -destalias tomcat
Existing entry alias 1 exists, overwrite? [no]:  yes

It accepted alias 1 instead and the cert imported correctly. I love Tomcat -_-

 

 

 

 

OpenSSL – Extracting a crt and key from a pkcs12 file

Posted by & filed under Linux, Server Admin.

Quick and dirty way to pull out the key and crt from a pkcs12 file:

openssl pkcs12 -in filename.pfx -nocerts -out filename.key

openssl pkcs12 -in filename.pfx -clcerts -nokeys -out filename.crt 

If you are using this for Apache and need to strip the password out of the certificate so Apache does not ask for it each time it starts:

openssl rsa -in /path/to/originalkeywithpass.key -out /path/to/newkeywithnopass.key

Apache key and cert generation

Posted by & filed under Server Admin.

Here’s a nice one liner to generate a private key and csr:

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain.key -out yourdomain.csr

Generates the key and the csr in one shot.

Generating KEY/CSR/CRT with OpenSSL on Windows

Posted by & filed under Uncategorized.

I had to generate a CRT for a server that runs Windows but has Apache and OpenSSL installed. I figured I'd do a quick key/csr/crt refresher.

First go to the /bin directory in the OpenSSL install and run openssl.exe

First, generate a keyfile. Thawte is pushing the use of 2048 bit sized keyfiles, so substitute if needed.

genrsa -des3 -out keyfile.key 1024

Next -- verify the keyfile:

rsa -noout -text -in keyfile.key

Create a unsecured version of the keyfile so Apache doesnt ask for a password every time it loads. Apache.conf

rsa -in keyfile.key -out unsecured.keyfile.key

Create the actual CSR:

req -new -key keyfile.key -out certificate.csr

If you get this error:

OpenSSL req -new -key digitss.key -out digitss.csr

Unable to load config info from /usr/local/ssl/openssl.cnf

Run this to specify the config file instead:

OpenSSL req -new -key keyfile.key -out certificate.csr -config openssl.cnf

Now just point Apache at the keyfile, and install the cert when it arrives.