Bad Things Will Happen - VMwareWelcome to my blog site. This is where I put my random stuff so I won't forget it.2023-03-02T02:40:03+08:00urn:md5:e1017eaff8a00258a0f5fc56125b835aDotclearVMware VCSA Update Manager - Service crashed while startingurn:md5:2b1d1c13d75d7bb671b95af0cd75d6422020-03-01T21:36:00+08:002020-09-21T08:44:49+08:00John TreenVMware <p>If you have used custom certificates and are having problems upgrading VMware VCSA or are having problems trying to perform a backup, you may have a problem with the VMware Update Manager service. VMware's knowledgebase article applies to this issue: https://kb.vmware.com/s/article/2121689.</p>
<p>This procedure should fix the thumbprint mismatch which is causing the problem.</p>
<p>SSH into your VMware vCentre Server Appliance.</p>
<pre>
ssh root@<HOSTNAME>
</pre>
<p>If your SSH session doesn't automatically enter a shell run the following.</p>
<pre>
shell
</pre>
<p>Run the following command to get the currentl Machine SSL Certificate.</p>
<pre>
/usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /tmp/machineSSL.crt
</pre>
<p>Run the following command to get the SSL trust certificate.</p>
<pre>
(echo "-----BEGIN CERTIFICATE-----";/usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert --ep-type com.vmware.cis.cs.identity.sso 2>/dev/null |grep "SSL trust: " |cut -f2 -d: |cut -b2-;echo "-----END CERTIFICATE-----") > /tmp/newcert.crt
</pre>
<p>Get the thumbprints of the two certificates.</p>
<pre>
openssl x509 -in /tmp/machineSSL.crt -fingerprint -noout
openssl x509 -in /tmp/newcert.crt -fingerprint -noout
</pre>
<p>If the two thumbprints do not match then you need to perform the following.</p>
<pre>
/usr/lib/vmidentity/tools/scripts/ls_update_certs.py --url http://localhost:7080/lookupservice/sdk --fingerprint <SECOND_FINGERPRINT> --certfile /tmp/machineSSL.crt --user administrator@vsphere.local --password <PASSWORD>
</pre>
<p>Start the VMware Update Manager service.</p>
<pre>
service-control --start vmware-updatemgr
</pre>Disable SSH warning on VMware ESXiurn:md5:e6603fc9f7e4b7d0b97118b76da55e012018-03-16T15:54:00+08:002020-09-21T08:44:49+08:00John TreenVMware <p>Using esxcli:</p>
<p><code>vim-cmd hostsvc/advopt/update UserVars.SuppressShellWarning long 1</code></p>
<p>Using the vSphere Client:</p>
<ol>
<li>Select the ESXi host from the Inventory.</li>
<li>Click the <strong>Configuration</strong> tab.</li>
<li>Select <strong>Advanced Settings</strong> in the <strong>Software</strong> list.</li>
<li>Locate <strong>UserVars</strong> in the left list.</li>
<li>Locate <strong>UserVars.SuppressShellWarning</strong> in the right list.</li>
<li>Set the value from 0 to <strong>1</strong>.</li>
<li>Click <strong>OK</strong>.</li>
</ol>
<p>Using the Host Web Client:</p>
<ol>
<li>From the <strong>Navigator</strong> under <strong>Host</strong> select <strong>Manage</strong>.</li>
<li>Select <strong>Advanced settings</strong> in the <strong>System</strong> tab.</li>
<li>Locate <strong>UserVars.SuppressShellWarning</strong>.</li>
<li>Select it and click <strong>Edit option</strong>.</li>
<li>Set the new value to <strong>1</strong> and click <strong>Save</strong>.</li>
</ol>Remove "SSH for the host has been enabled" warning from ESXiurn:md5:82b3d224d62ea104db1f0aa021ba6d9d2014-02-14T11:18:00+08:002016-01-14T01:20:25+08:00John TreenVMware <p>VMware Reference: <a href="http://kb.vmware.com/selfservice/mysupport/viewdocument.do?externalId=2003637">http://kb.vmware.com/selfservice/mysupport/viewdocument.do?externalId=2003637</a></p>VMware vCenter Server behind NAT Routerurn:md5:3d7537cc386a4bc37d0e722491621c7a2014-02-13T10:19:00+08:002016-01-14T01:20:13+08:00John TreenVMware <p>If your vCenter Server is behind a NAT the hosts will drop out after about a minute. To fix this problem you must add a port forward on the router to relay UDP/902 back to the vCenter server and configure the Virtual Center agent on the host to point to the external NAT IP address.</p>
<p>VMware Reference: <a href="http://kb.vmware.com/selfservice/mysupport/viewdocument.do?externalId=1010652">http://kb.vmware.com/selfservice/mysupport/viewdocument.do?externalId=1010652</a></p>
<p>IP Tables Configuration:</p>
<pre>
iptables -t nat -A PREROUTING -i {WAN_INTERFACE} -p udp --dport 902 -j DNAT --to-destination {VCENTER_IP}:902
</pre>VMware vSphere Client 5.5 on Domain Controllerurn:md5:5ea4485daf7aeaf38756cd33e16b79ef2014-02-12T09:33:00+08:002016-01-14T01:19:58+08:00John TreenVMware <p>For when there is no other option and you must install the vSphere Client on your Domain Controller you can do it with the following:</p>
<pre>
VMware-viclient-all-5.5.0-1281650.exe /VSKIP_OS_CHECKS="1"
</pre>