打开vCenter网页显示no healthy upstream报错
解决办法:
1、使用SSH访问VSCA主机。
2、输入如下命令,检查证书有效期,发现__MACHINE_CERT证书到期。
for i in $(/usr/lib/vmware-vmafd/bin/vecs-cli store list); do echo STORE $i; sudo /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store $i --text | egrep "Alias|Not After"; done
[*] Store : MACHINE_SSL_CERT
Alias : __MACHINE_CERT
Not After : Feb 19 10:44:17 2026 GMT # 每次最多续订730天, 时间长了记得去vcenter续订
[*] Store : TRUSTED_ROOTS
Alias : 0ebb07a467cae1e16a6b19f3bba285993d8b38b9
Not After : Feb 13 22:44:16 2034 GMT
[*] Store : machine
Alias : machine
Not After : Feb 13 22:44:16 2034 GMT
[*] Store : vsphere-webclient
Alias : vsphere-webclient
Not After : Feb 13 22:44:16 2034 GMT
[*] Store : vpxd
Alias : vpxd
Not After : Feb 13 22:44:16 2034 GMT
[*] Store : vpxd-extension
Alias : vpxd-extension
Not After : Feb 13 22:44:16 2034 GMT
查看自己的主机名和ip地址
$ hostname -f
vcenter.zyx
$ ifconfig
192.168.1.5
用/usr/lib/vmware-vmca/bin/certificate-manager来管理证书
root@vcenter [ / ]# /usr/lib/vmware-vmca/bin/certificate-manager
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
| |
| *** Welcome to the vSphere 8.0 Certificate Manager *** |
| |
| -- Select Operation -- |
| |
| 1. Replace Machine SSL certificate with Custom Certificate |
| |
| 2. Replace VMCA Root certificate with Custom Signing |
| Certificate and replace all Certificates |
| |
| 3. Replace Machine SSL certificate with VMCA Certificate |
| |
| 4. Regenerate a new VMCA Root Certificate and |
| replace all certificates |
| |
| 5. Replace Solution user certificates with |
| Custom Certificate |
| NOTE: Solution user certs will be deprecated in a future |
| release of vCenter. Refer to release notes for more details.|
| |
| 6. Replace Solution user certificates with VMCA certificates |
| |
| 7. Revert last performed operation by re-publishing old |
| certificates |
| |
| 8. Reset all Certificates |
|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.
Option[1 to 8]: 8
Do you wish to generate all certificates using configuration file : Option[Y/N] ? : y
Please provide valid SSO and VC privileged user credential to perform certificate operations.
Enter username [Administrator@vsphere.local]:administrator@zyxweb.cn # 账号
Enter password: # 密码
Please configure certool.cfg with proper values before proceeding to next step.
Press Enter key to skip optional parameters or use Default value.
Enter proper value for 'Country' [Default value : US] :
Enter proper value for 'Name' [Default value : CA] :
Enter proper value for 'Organization' [Default value : VMware] :
Enter proper value for 'OrgUnit' [optional] :
Enter proper value for 'State' [Default value : California] :
Enter proper value for 'Locality' [Default value : Palo Alto] :
Enter proper value for 'IPAddress' (Provide comma separated values for multiple IP addresses) [optional] : 192.168.1.5 # ip地址
Enter proper value for 'Email' [Default value : email@acme.com] :
Enter proper value for 'Hostname' (Provide comma separated values for multiple Hostname entries) [Enter valid Fully Qualified Domain Name(FQDN), For Example : example.domain.com] : vcenter.zyx # FQDN 客户端访问,必须匹配 DNS 名称
Enter proper value for VMCA 'Name' :vcenter # 内部 CA 生成证书用,兼容性考虑
Continue operation : Option[Y/N] ? : y
You are going to reset by regenerating Root Certificate and replace all certificates using VMCA
Continue operation : Option[Y/N] ? : y
Status : 60% Completed [Reset vpxd-extension Cert...]
Reset status : 85% Completed [starting services...]
Reset status : 100% Completed [Reset completed successfully]
# 出现这个就可以正常打开了
参考博客:
vCenter7 __MACHINE_CERT证书过期 no healthy upstream故障解决|SundayHK
Using vSphere Certificate Manager to Replace SSL Certificates
