VxRail：測試「vxm_cert」執行狀況檢查失敗

此測試會檢查 VxRail Manager 憑證。
執行的檢查：

• 憑證是否已自我簽署？
• 對於自我簽署憑證：
  • ca.cnf 是否包含帶有「FQDN」的「DNS」項目？
  • SAN 是否包含「FQDN」？
  • 憑證是否已過期？
  • server.crt 的模數是否與server.key的模數相符

「vxm_cert」測試會檢查 VxRail Manager 憑證。

• 如果 是警告，結果會指出 server.crt 的模數與server.key的模數不符。
• 如果 是失敗，結果指出非自我簽署的 VxRail Manager 憑證已到期，必須先續約，才能嘗試升級。

縮略字清單：

• 網域名稱系統 （DNS）
• 完整網域名稱 （FQDN）

測試期間使用的檔案：

• /etc/vmware-marvin/ssl/server.crt （VxRail Manager 憑證）
• /etc/vmware-marvin/ssl/rootcert.crt （VxRail Manager 憑證的 CA 鏈結）
• /etc/vmware-marvin/ssl/server.api.gateway.crt （VxRail Manager 憑證副本）
• /etc/vmware-marvin/ssl/ca.cnf （自我簽署 VxRail Manager 憑證的組態檔案）
• server.key
  • 7.0.400 之前的版本 - /etc/vmware-marvin/ssl/server.key
  • 7.0.400+ 讀取自 kubectl config

執行的測試：

1. server.crt 是否已自我簽署？
   • 是：
     • 檢查 server.crt、server.api.gateway.crt 和 rootcert.crt 是否相同
       • 否：這便能通過「vxm_cert」測試，且不會執行其他 VxRail Manager 憑證檢查
     • 檢查 ca.cnf 中是否包含 VxRail Manager IP （FQDN） 的反向 DNS
       • 否：如果 ca.cnf 檔案中缺少 DNS 項目或僅找到短名稱，則預期結果會低於預期結果
         

         | VxRM                   | Warning 198406 | vxm_cert: VXM FQDN missing/incomplete in ca.cnf              .|

   • 否：
     • 檢查是否過期
       • 是：未通過測試
       • 可使用 vxverify 結果表顯示

         | VxRM                   | Fail    198406 | vxm_cert: FAIL - found expired VXM custom certificate             .|

2. 使用 rootcert.crt 檢查 server.crt 是否受信任
   • 否：標記問題
3. server.crt 是否已過期？
   • 是：標記問題
4. 檢查是否在 server.crt 主體別名 （SAN） 清單中找到 VxRail Manager IP （FQDN） 的反向 DNS
   • 否：標記問題
5. 檢查 server.crt 的模數是否符合 server.key 的模數
   • 否：未正確遵循憑證更換程序
     • 可使用 vxverify 結果表顯示

       | VxRM                   | Warning 198406 | vxm_cert: Modulus mismatch between server.crt and server.key.           .|

6. 如果出現任何旗標，測試會傳回「FAIL」

vxv.log包含 "VXM certificate validity check - FAIL")

修正：

• 如果憑證為自我簽署，請參閱解決方案 1。
• 若為非自我簽署憑證，請參閱解決方案 2。

所有資訊均可在 vxv.log 中找到，請使用 grep 命令搜尋「vxm_cert」。

實驗室中的詳細記錄範例：

vcluster101-vxrm:/home/mystic # less vxv.log | grep vxm_cert
2022-11-01 14:34:55-INFO     [vxm_cert] Testing VXM certificate validity check
2022-11-01 14:34:55-INFO     [dns_fqdn_ip] 172.168.10.50 gethostbyaddr returning FQDN vcluster101-vxrm.vv001.local
2022-11-01 14:34:55-INFO     [vxm_cert] VXM certificate self-signed check: True
2022-11-01 14:34:55-DEBUG    [vxm_cert] -> modulus of certificate read
2022-11-01 14:34:55-DEBUG    [vxm_cert] -> modulus of certificate read
2022-11-01 14:34:55-DEBUG    [vxm_cert] -> modulus of certificate read
2022-11-01 14:34:55-DEBUG    [vxm_cert] -> modulus of certificate read
2022-11-01 14:34:55-INFO     [vxm_cert] VXM self-sign certs pass: server, api gateway and rootcert content identical!
2022-11-01 14:34:55-INFO     [vxm_cert] Check if FQDN 'vcluster101-vxrm.vv001.local' is found in ca.cnf
2022-11-01 14:34:55-DEBUG    [vxm_cert] ca.cnf DNS SAN: ['DNS.1 = vcluster101-vxrm.vv001.local']
2022-11-01 14:34:55-INFO     [vxm_cert] FQDN 'vcluster101-vxrm.vv001.local' found in 'vcluster101-vxrm.vv001.local': True
2022-11-01 14:34:55-INFO     [vxm_cert] VXM FQDN in ca.cnf               : True
2022-11-01 14:34:55-INFO     [vxm_cert] -> Certificate vcluster101-vxrm.vv001.local, self-signed: True, Issuer: 'vcluster101-vxrm.vv001.local', expired: False
2022-11-01 14:34:55-INFO     [vxm_cert] -> Found 1 certificate(s) in chain
2022-11-01 14:34:55-INFO     [vxm_cert] Certificate CN='vcluster101-vxrm.vv001.local', Issuer: 'vcluster101-vxrm.vv001.local', SAN: ['vcluster101-vxrm.vv001.local'], self-signed: True, expired: False
2022-11-01 14:34:55-INFO     [vxm_cert] Certificate is valid against provided trust chain!
2022-11-01 14:34:55-INFO     [vxm_cert] -> No expired certs found.
2022-11-01 14:34:55-INFO     [vxm_cert] Certificate will expire in 761 days (2024-12-02 13:52:43)
2022-11-01 14:34:55-INFO     [vxm_cert] Certificate version: v3
2022-11-01 14:34:55-DEBUG    [vxm_cert] .. cert has SAN: ['vcluster101-vxrm.vv001.local']
2022-11-01 14:34:55-INFO     [vxm_cert] FQDN 'vcluster101-vxrm.vv001.local' found in 'vcluster101-vxrm.vv001.local': True
2022-11-01 14:34:55-DEBUG    [vxm_cert] -> modulus of certificate read
2022-11-01 14:34:55-DEBUG    [vxm_cert] VXM cert modulus                 : 737606798658210345552395023242313575498349980168484844388104681760467073883011018654519552113639865930937060725956161028970536990609868865205746383328200764864894981142328568328657935452055209671631324383458709981382958650198551830486
143325734179025886034284279986239071265103840351119056608085586215383171845712455515672064475301529905881788883636903724318736502128949857904091221042682404407112606348900344815441050547380775230077999536636557738641283900720744678777412009298019876243746380791172035001376949864207929904577617722929532669596
969605085603057343287908041826751812176348357320164911109115951288171761502258221092274323790009201505777693273716701833573608884839819707266105827978472998034615720643262714593852230449266964049807291368579426111835780256915666430267382209552126939824155889043819078701590538547302381769757869412847241459155
555459521172889268714285038687298213572400125782935108262701577461219143109838771620714629597117036018317636913785163251545629790329095499202728776464552170726432853116188495914370652200727134390240043211871565088281127910113500064626019413290428798648699326217103710460104457195146414570080660613595135695795
756289083984604070476681971839564047103254900324978466550121916659163629
2022-11-01 14:34:55-DEBUG    [vxm_cert] -> modulus of private key read
2022-11-01 14:34:55-DEBUG    [vxm_cert] VXM private key modulus          : 737606798658210345552395023242313575498349980168484844388104681760467073883011018654519552113639865930937060725956161028970536990609868865205746383328200764864894981142328568328657935452055209671631324383458709981382958650198551830486
143325734179025886034284279986239071265103840351119056608085586215383171845712455515672064475301529905881788883636903724318736502128949857904091221042682404407112606348900344815441050547380775230077999536636557738641283900720744678777412009298019876243746380791172035001376949864207929904577617722929532669596
9696050856030573432879080418267518121763483573201649111091159512881717615022582210922743237900092015057776932737167018335736088848398197072661
05827978472998034615720643262714593852230449266964049807291368579426111835780256915666430267382209552126939824155889043819078701590538547302381769757869412847241459155555459521172889268714285038687298213572400125782935108262701577461219143109838771620714629597117036018317636913785163251545629790329095499202728776464552170726432853116188495914370652200727134390240043211871565088281127910113500064626019413290428798648699326217103710460104457195146414570080660613595135695795756289083984604070476681971839564047103254900324978466550121916659163629
2022-11-01 14:34:55-INFO     [vxm_cert] VXM certificate self-signed: True; Expired: False; Trusted: True; SAN: ['vcluster101-vxrm.vv001.local']; Modulus: True
2022-11-01 14:34:55-DEBUG    [vxm_cert] Has certificate extended usage (serveAuth & clientAuth) configured check....
2022-11-01 14:34:55-DEBUG    [vxm_cert] -> Found OID: 1.3.6.1.5.5.7.3.1
2022-11-01 14:34:55-DEBUG    [vxm_cert] -> Found OID: 1.3.6.1.5.5.7.3.2
2022-11-01 14:34:55-INFO     [vxm_cert] -> Iterated through all extended usage OIDs
2022-11-01 14:34:55-INFO     [vxm_cert] VXM has serverAuth OID           : True
2022-11-01 14:34:55-INFO     [vxm_cert] VXM has clientAuth OID           : True
2022-11-01 14:34:55-INFO     [vxm_cert] VXM cert OID list:               : <Extensions([<Extension(oid=<ObjectIdentifier(oid=2.5.29.19, name=basicConstraints)>, critical=False, value=<BasicConstraints(ca=False, path_length=None)>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.37, name=extendedKeyUsage)>, critical=False, value=<ExtendedKeyUsage([<ObjectIdentifier(oid=1.3.6.1.5.5.7.3.1, name=serverAuth)>, <ObjectIdentifier(oid=1.3.6.1.5.5.7.3.2, name=clientAuth)>])>)>, <Extension(oid=<ObjectIdentifier(oid=2.5.29.17, name=subjectAltName)>, critical=False, value=<SubjectAlternativeName(<GeneralNames([<DNSName(value='vcluster101-vxrm.vv001.local')>, <IPAddress(value=172.168.10.50)>])>)>)>])>
2022-11-01 14:34:55-INFO     [vxm_cert] VXM certificate validity check - PASS

vcluster101-vxrm:/home/mystic/ #

在上述範例中，我們會看到憑證有效性檢查的「PASS」訊息。

解決方案 1 （針對自我簽署憑證）

檢閱「更多資訊」區段，查看是否有可用的快速修正。
請遵循 KB 20625 VxRail 的步驟：如何為 VxRail Manager 申請新憑證 ，以建立新的 VxRail Manager 憑證。（需要有 Dell 支援帳戶才能檢視本文）

解決方案 2 （針對外部憑證）

套用解決方案 1，然後使用 VxRail 附掛程式，按照 KB 20625 對自我簽署憑證的憑證要求，將憑證更換為非自我簽署憑證：

• 憑證應為包含延伸使用 （serverAuth、clientAuth） 的版本 3

  [ v3_req ]
  basicConstraints = CA:false
  extendedKeyUsage = serverAuth, clientAuth
  subjectAltName = @alt_names

• 通用名稱應為 VxRail Manager 的 FQDN

  commonName =  <vxm-fqnd>

• SAN （替代名稱） 應包括 VxRail Manager FQDN 和 IP

  [ alt_names ]
  DNS.1 = <vxm-fqnd>
  IP.1 = <vxm-ip>

其他資訊：

根據vxv.log中找到的原因：

• 憑證為自我簽署，但與 server.api.gateway.crt 和 rootcert.crt 不相符
  • 找到vxv.log項目：

    WARNING [vxm_cert] VXM certs issue!!! Check /etc/vmware-marvin/ssl *.crt files: server, server.api.gateway and rootcert - Must be identical!

  • 修正：
    檢查 server.crt 是否有效
    • 執行：
      7.0.350 之前

      openssl x509 -in /etc/vmware-marvin/ssl/server.crt -nocert -serial -subject -issuer -ext subjectAltName -startdate -enddate -fingerprint -sha1

      7.0.350+

      openssl x509 -in /etc/vmware-marvin/ssl/server.crt -nocert -serial -subject -issuer -ext subjectAltName -startdate -enddate -fingerprint -sha256

    • 預期成果：
      • 憑證的序號
      • 包含 FQDN 行的行，包括「主體」、「簽發者」和來自「X509v3 主體別名」的 DNS
      • 顯示包含「notBefore」和「notAfter」的有效期的行
      • 憑證的指紋
    • 實驗室範例：

      vcluster101-vxrm:/home/mystic # openssl x509 -in /etc/vmware-marvin/ssl/server.crt -nocert -subject -issuer -ext subjectAltName -startdate -enddate -fingerprint -sha256
      subject=C = US, ST = local, L = vsphere, O = VMware, OU = VxRailApplianceServer, CN = vcluster101-vxrm.vv001.local
      issuer=C = US, ST = local, L = vsphere, O = VMware, OU = VxRailApplianceServer, CN = vcluster101-vxrm.vv001.local
      X509v3 Subject Alternative Name:
          DNS:vcluster101-vxrm.vv001.local, IP Address:172.168.10.50
      notBefore=Feb 25 14:47:14 2022 GMT
      notAfter=May 15 14:47:14 2024 GMT
      SHA256 Fingerprint=A3:7E:D6:E9:44:AE:31:7A:5B:41:AC:1F:F5:BF:D8:02:2E:E8:A4:07:D9:99:05:EC:A0:85:7C:76:29:FA:5F:CF
      vcluster101-vxrm:/home/mystic #

    • 如果 server.crt 正常 （正確的 FQDN、IP、測試日期/時間在有效期內），請比較 server.api.gateway.crt 和 rootcert.crt
      • 針對 server.api.gateway.crt 和 rootcert.crt 執行 openssl 命令
        • 預期的輸出與針對 server.crt 的輸出不同
      • 修正將 server.crt 複製到有問題的檔案上的問題
      • 實驗室範例
        • 檢查檔案：

          vcluster101-vxrm:/home/mystic # openssl x509 -in /etc/vmware-marvin/ssl/server.crt -serial -nocert -subject -issuer -ext subjectAltName -startdate -enddate -fingerprint -sha256
          serial=F2262B1EB62DFF22
          subject=C = US, ST = local, L = vsphere, O = VMware, OU = VxRailApplianceServer, CN = vcluster101-vxrm.vv001.local
          issuer=C = US, ST = local, L = vsphere, O = VMware, OU = VxRailApplianceServer, CN = vcluster101-vxrm.vv001.local
          X509v3 Subject Alternative Name:
              DNS:vcluster101-vxrm.vv001.local, IP Address:172.168.10.50
          notBefore=Feb 25 14:47:14 2022 GMT
          notAfter=May 15 14:47:14 2024 GMT
          SHA256 Fingerprint=A3:7E:D6:E9:44:AE:31:7A:5B:41:AC:1F:F5:BF:D8:02:2E:E8:A4:07:D9:99:05:EC:A0:85:7C:76:29:FA:5F:CF
          vcluster101-vxrm:/home/mystic # openssl x509 -in /etc/vmware-marvin/ssl/server.api.gateway.crt -serial -nocert -subject -issuer -ext subjectAltName -startdate -enddate -fingerprint -sha256
          serial=DEE85F0B1E5964DC
          subject=C = US, ST = local, L = vsphere, O = VMware, OU = VxRailApplianceServer, CN = vcluster101-vxrm.vv001.local
          issuer=C = US, ST = local, L = vsphere, O = VMware, OU = VxRailApplianceServer, CN = vcluster101-vxrm.vv001.local
          X509v3 Subject Alternative Name:
              DNS:vcluster101-vxrm.vv001.local, IP Address:172.168.10.50
          notBefore=Jan 27 15:08:32 2022 GMT
          notAfter=Apr 16 15:08:32 2024 GMT
          SHA256 Fingerprint=B9:03:A9:FA:C1:44:06:E9:16:7F:F3:55:67:D1:BF:D7:9A:F6:FC:D0:50:FF:31:08:B1:50:FE:32:FC:C6:E1:09
          vcluster101-vxrm:/home/mystic # openssl x509 -in /etc/vmware-marvin/ssl/rootcert.crt -serial -nocert -subject -issuer -ext subjectAltName -startdate -enddate -fingerprint -sha256
          serial=F2262B1EB62DFF22
          subject=C = US, ST = local, L = vsphere, O = VMware, OU = VxRailApplianceServer, CN = vcluster101-vxrm.vv001.local
          issuer=C = US, ST = local, L = vsphere, O = VMware, OU = VxRailApplianceServer, CN = vcluster101-vxrm.vv001.local
          X509v3 Subject Alternative Name:
              DNS:vcluster101-vxrm.vv001.local, IP Address:172.168.10.50
          notBefore=Feb 25 14:47:14 2022 GMT
          notAfter=May 15 14:47:14 2024 GMT
          SHA256 Fingerprint=A3:7E:D6:E9:44:AE:31:7A:5B:41:AC:1F:F5:BF:D8:02:2E:E8:A4:07:D9:99:05:EC:A0:85:7C:76:29:FA:5F:CF
          vcluster101-vxrm:/home/mystic #

        • 我們可以看到，即使是 FQDN 與「主體」、「簽發者」和 SAN 相符，也發現 server.api.gateway.crt 的序號、指紋及有效日期與 server.crt 不同
        • 將 server.crt 複製到 server.api.gateway.crt 和 rootcert.crt 上

          cp /etc/vmware-marvin/ssl/server.crt /etc/vmware-marvin/ssl/server.api.gateway.crt
          cp /etc/vmware-marvin/ssl/server.crt /etc/vmware-marvin/ssl/rootcert.crt
          systemctl restart vmware-marvin
          systemctl restart runjars

          請遵循 KB 20625 - VxRail 中的步驟 3c：如何為 VxRail Manager 申請新憑證 （需要有 Dell 支援帳戶才能檢視此文章）
    • 如果 server.crt 無法正常運作
      • 建立新的自我簽署 VxRail Manager 憑證 - 請遵循 KB 20625 VxRail：如何為 VxRail Manager 申請新憑證 （需要有 Dell 支援帳戶才能檢視此文章）