VCSA – Bits and Bytes

October 6, 2022

Changing the Primary Network Identifier (PNID) on vCenter

Preface

This has been occurring to me a lot lately. vCenter gets deployed and configured with a hostname. You are likely not giving it much thought until later when a particular situation arises. When it’s time to upload Transport Layer Security (TLS) certificates and you receive the following warning, “Error occurred while fetching tls: Invalid input certifcate : The Subject of the provided certificate does not contain the correct CN value”

I find that this is caused by the case-sensitive nature of the VMware vCenter Server Appliance (VCSA) and the Common Name (CN) in the certificate. When vCenter is deployed, if a lowercase hostname is provided (my personal preference, now), i.e. vcsa.aaronrombaut.com, the request for the certificate, the Certificate Signing Request (CSR), should also use the lowercase fully qualified domain name (FQDN). The idea is that the case needs to match, lowercase host name needs to match a lowercase CN and the opposite applies as well. An uppercase host name needs to match an uppercase CN.

The Fix

It’s ok if this situation occurs and you have two choices, really. If this is a brand new deployment, it may be easier to redeploy the VCSA and pay attention to the step when the host name is being applied. If this doesn’t apply and you just want to fix it, then follow along…

Connect to the VCSA. Ensure SSH is enabled on the VCSA. You can enable this from the Virtual Appliance Management Interface (VAMI) (fqdn:5480) or by logging in to the appliance’s console.

Check the current value of the Primary Network Identifier (PNID) with the following command.

/usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost

Set the pnid value to the same name, but change the case with the following command, obviously changing the case as appropriate.

/usr/lib/vmware-vmafd/bin/vmafd-cli set-pnid --server-name localhost --pnid <pnid>

Reboot the VCSA by typing the following.

reboot

Get up and take a short break…

To verify the change, log into vSphere Client > Menu > Inventory. The VCSA name should now match the case you set on the command line. At this point, it should be safe to apply the TLS certificates without receiving a warning.

I have found that on newer vCenters, one more step needs to take place. This may be a new necessary step and it may even be safe to just apply, but I don’t have the time to install x versions of VCSA and test.

Log on to the vSphere Client and navigate to Home > Inventory > <choose a vCenter> > Configure > Settings > General > Edit > Runtime settings.

Change the vCenter Server Name and then click Save. Reboot the appliance.

You can now definitely install the TLS certificates!

November 1, 2020

Update vCenter Server Appliance (VCSA)

I wanted to update vCenter Server Appliance update 1 (vCenter Appliance 6.7 U1 (6.7.0.20000)) to the most current patch level which at the time of this post is Update 3k.

I navigated to VMware’s patch repository, https://my.vmware.com/group/vmware/patch#search, and selected VC and 6.7.0. I already have the appliance, so I downloaded the Appliance-Patch file as highlighted below.

Once downloaded, I added the .iso file to the VCSA virtual machine’s CD/DVD drive using the VMware Remote Console window. (It’s my personal preference to not add ISO files to datastores as I feel it is a waste of space and unnecessary)

I logged into the VMware Appliance Interface (VAMI), https://fqdn:5480, and chose Update > CHECK UPDATES > Check CD ROM. I was presented with a screen stating, “No applicable update found.” I was a little concerned and thought maybe I added the wrong ISO file, so I double checked.

After a little digging and documentation reading, I found that this upgrade path is not supported. I first have to patch to the base appliance level, in this case vCenter Appliance 6.7.0 update 3, before I can apply the security patch. The following is an excerpt from the document, Patching the vCenter Server Appliance and Platform Services Controller Appliance.

VMware makes patches available on a monthly basis. These patches can only be applied in between major releases of vCenter Server Appliance. For example, patches released for the initial release of vCenter Server Appliance 6.7, are not applicable to vCenter Server Appliance 6.7 Update 1, as any patches previously made available will be included with the Update 1 release.
https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.upgrade.doc/GUID-043EF6BD-78F7-412F-837F-CBDF844F850C.html

So…let’s try that again

So now that I have RTFM, I can try again in the correct order. I downloaded the vCenter Appliance Update 3 (VMware-vCenter-Server-Appliance-6.7.0.40000-14367737-patch-FP.iso) ISO from the patches repository and loaded it into the vCenter Server Appliance’s CD ROM. I went back to the VAMI and checked for updates again, this time with a positive result!

To update:

Click on the STAGE AND INSTALL link above the Available updates table
Click to check the checkbox labeled, “I accept the terms of the license agreement“
Click NEXT button
Click to uncheck the checkbox labeled, “Join the VMware’s Customer Experience Improvement Program (CEIP)” [Note: this is a lab environment, follow your organization’s policy regarding this program]
Click NEXT button
Click to check the checkbox labeled, “I have backed up vCenter Server and its associated databases.” [Note: Make sure that you actually do have a backup to be safe]
Click FINISH button

Ref: Patching the vCenter Server Appliance by Using the Appliance Management Interface (https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.upgrade.doc/GUID-E2E359B1-5834-4BFF-AEFE-6CEBFC8CC3D5.html) and subsequently, Install vCenter Server Appliance Patches (https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.vcenter.upgrade.doc/GUID-E5E78149-4AC8-4DD7-BBA8-19CC17711D40.html).

Wait for the server to install the update and show Installation succeeded. Click the Close button.

Depending on how long the process took, you may need to log into the VAMI again. Verify the Version is updated from the previous.

This time you can load up the most recent patch and follow the update procedure again.

At the end, you should have an updated appliance with the most recent patch.

May 24, 2019April 6, 2020

Recover vCenter Appliance after Power/Storage Failure

Well, this would have saved me quite a bit of time in my past. My storage device got unplugged from the network while my lab was running and vCenter refused to come back. This is expected as the appliance has an embedded database.

I found this article from VMware that worked! It took less than 10 minutes.

https://kb.vmware.com/s/article/2149838

Use Shift + PgUp to scroll through the boot process and find out what filesystem, if any, is causing trouble.

Then type df -h to ensure none of the filesystems are full.

Compare /etc/fstab with the output from dh -f.

Once you have identified the missing or corrupt filesystem, run

e2fsck -y /dev/filesystem-that-needs-to-be-checked

Reboot the appliance and away you go!

reboot