VMware Solutions Discussions

VSC 6.0 SSL Cert replacement

FULLSTEAM
2,745 Views

Not sure where to file a case on this.

 

There are no clear instructions on how to replace the self-signed SSL certificates in VSC, with CA-signed ones.  I'm using VSC for vSphere 6.2P1, with a Linux-based VCSA and ESXi versions 6.0U2.  Also, cDOT NAS datastores, running 8.2.4P2.

The VSC manual, https://library.netapp.com/ecm/ecm_get_file/ECMLP2371569 , page 49, says that the certificate must be signed with SHA1.
With SHA1 being deprecated, this is a bug that VSC should be addressing SOON.

If you use https://kb.netapp.com/support/index?page=content&id=1013807, from the 4.x era, it describes a process which somewhat works.  At least, I am able to follow it and add certs and get VSC to boot again.  However, it doesn't mention the SHA1 limitation, because of its age.

There's also https://kb.netapp.com/support/index?page=content&id=1014445, which does not mention age of software.  It follows a vastly different process.  This seems unnecessary at best, but confusing.

Having installed the CA certificate, VSC SEEMS to work, SHA1 and all.  However, it's a lurking problem.
VSC can send mail about issues.  Those emails end in a note that says:
  You can view the log entries at https://[fe80:0:0:0:0:5efe:a16:879%net3]:8043/smvi/logViewer?id=backup_All-VMs_20160519212800.

1) I'm not sure why, but it's giving an IPv6 address.  Is there a place to change this?  I have to manually rewrite it to a hostname based on my own knowledge of the windows box's name.
2) The SSL cert on port 8043 is NOT the replaced one, it's a self-signed one.  Even if VSC is willing to accept talking over insecure connections from plugin to software, web browsers aren't happy with them.


So, summarizing:
1) VSC uses SHA1 certs.  This is a bug.
2) VSC has no clear documentation of how to replace SSL certs for port 8143 with CA-signed ones in the 6.x world; the 4.x instructions APPEAR to work, but, this is a guess.
3) VSC has no documentation of how to replace SSL certs for port 8043 with CA-signed ones in the 6.x world.
4) SMVI mails have an IPv6 hostname, but no clear way to change it.

Anyone run into this?

0 REPLIES 0
Public