VMware Solutions Discussions

VSC 6.0 SSL Cert replacement

FULLSTEAM

Not sure where to file a case on this.

 

There are no clear instructions on how to replace the self-signed SSL certificates in VSC, with CA-signed ones.  I'm using VSC for vSphere 6.2P1, with a Linux-based VCSA and ESXi versions 6.0U2.  Also, cDOT NAS datastores, running 8.2.4P2.

The VSC manual, https://library.netapp.com/ecm/ecm_get_file/ECMLP2371569 , page 49, says that the certificate must be signed with SHA1.
With SHA1 being deprecated, this is a bug that VSC should be addressing SOON.

If you use https://kb.netapp.com/support/index?page=content&id=1013807, from the 4.x era, it describes a process which somewhat works.  At least, I am able to follow it and add certs and get VSC to boot again.  However, it doesn't mention the SHA1 limitation, because of its age.

There's also https://kb.netapp.com/support/index?page=content&id=1014445, which does not mention age of software.  It follows a vastly different process.  This seems unnecessary at best, but confusing.

Having installed the CA certificate, VSC SEEMS to work, SHA1 and all.  However, it's a lurking problem.
VSC can send mail about issues.  Those emails end in a note that says:
  You can view the log entries at https://[fe80:0:0:0:0:5efe:a16:879%net3]:8043/smvi/logViewer?id=backup_All-VMs_20160519212800.

1) I'm not sure why, but it's giving an IPv6 address.  Is there a place to change this?  I have to manually rewrite it to a hostname based on my own knowledge of the windows box's name.
2) The SSL cert on port 8043 is NOT the replaced one, it's a self-signed one.  Even if VSC is willing to accept talking over insecure connections from plugin to software, web browsers aren't happy with them.


So, summarizing:
1) VSC uses SHA1 certs.  This is a bug.
2) VSC has no clear documentation of how to replace SSL certs for port 8143 with CA-signed ones in the 6.x world; the 4.x instructions APPEAR to work, but, this is a guess.
3) VSC has no documentation of how to replace SSL certs for port 8043 with CA-signed ones in the 6.x world.
4) SMVI mails have an IPv6 hostname, but no clear way to change it.

Anyone run into this?

Earn Rewards for Your Review!
GPI Review Banner
All Community Forums
Public