这是一篇价值几千块人民币的文章,简单记录一下。
Issue/Introduction
This script is intended to be used to resolve certificate management issues on NSX 3.2.x, 4.0.x, 4.1.x and 4.2.x.
- Update self signed certs.
- NSX certs are showing expired.
- For certificate operations and management on NSX 4.2.x, the user interface (System, Certificates) can now be used to manage and replace certificates and should be the preferred option, over using the CARR script attached to this KB. For further details, please review the section Replace Certificates Through NSX Manager in the NSX administration guide and the KB Renew or replace the self-signed SSL certificates via GUI.
- It performs integrity checks and recovery operations for NSX self-signed certificates, and can replace certificates that have expired or will be expiring soon.
- Expired certificates with a value of 0 in the ‘Used By’ column, can be deleted in the UI, the script does not delete these.
- It can replace certificates on the NSX Manager as well as on NSX Transport Nodes, Edges and Hosts.
- CA signed certificates are out of scope and should be managed by your organization owners. If CA certs are using VMCA, see Scripted process to replace expired or self-signed VMware NSX Manager Certificates with VMCA-Signed Certificates.
Environment
- VMware NSX-T Data Center 3.2.x
- VMware NSX 4.x prior to 4.2.x. (Can be used in 4.2.x. and higher, but the ability to manage and replace certificates from the Certificates page within the NSX GUI was added in the 4.2.x version, and therefore using the CARR script to replace these certs is NOT considered the preferred method.
- VCF NSX 9.0.0
Resolution
The script will make an assessment of all certificates requiring remediation, present the proposed changes and ask for approval to proceed. From version 1.21 the dry run must be run prior to the remediation run.
- Copy the script, attached to the bottom of this KB, to /root directory on any NSX Manager
- Extract the script
tar -xvf carr-1.21.tar.gz
- Change to the extracted folder
cd carr-1.21
- Run in dry run assessment mode first, this is a mandatory step. It generates a file validation_config_recovery_mode.yaml which is consumed by default in step 5
./start.sh -d
- Remediate all certificates that will expire in 825 days or less
./start.sh
- On the NSX UI, System > Certificates, manually delete all unused expiring and expired certs that CARR has replaced
Download script: 百度网盘
There should be no impact associated with running the CARR script, but Broadcom recommends running the script during a maintenance window.
If you have disconnected host after replacing expired APH_TN certificates please follow this kb 417130.
1
纯技术大拿的学习资源,我这个外行表示支持