For the govc -cert and -key parameters, how can we get these two files?

[MartinZJY]

Hi VMware team,
I am following this article to generate the cert and key(use /usr/lib/vmware-vmca/bin/certificate-manager):
https://www.dasher.com/vmware-vcenter-certificate-replacement/

After getting the cert and key files, I am getting the following error when using govc
./govc datacenter.info -cert ~/certs/vmca_issued_csr.csr -key ~/certs/vmca_issued_key.key
./govc: tls: failed to find "CERTIFICATE" PEM block in certificate input after skipping PEM blocks of the following types: [CERTIFICATE REQUEST]

I tried to replace my cert file with the following command:
openssl req -new -x509 -sha256 -key ~/certs/vmca_issued_key.key -out ~/certs/vmca_issued_csr_new.csr -days 100

and use the new cert file for govc, but now I am getting "./govc: NotAuthenticated". Can you help me with this problem?

Al the best

[dougm]

What are you trying to do? The govc -cert and -key flags are for client authentication, but it sounds like you're trying to validate the vCenter server certificate?

[MartinZJY]

I was trying to connect to vCenter and get datacenter.info.
Usually we provided these two to be connected to vCenter:
GOVC_USERNAME
GOVC_PASSWORD

I was trying to not use this login information to connect to vCenter.

[dougm]

ok, the article you link to is unrelated then. If you want to use client side token auth, see: https://github.com/vmware/govmomi/blob/master/govc/USAGE.md#sessionlogin

And info on creating a solution user:

https://github.com/vmware/govmomi/blob/master/govc/USAGE.md#ssousercreate

https://vmware.github.io/vsphere-storage-for-kubernetes/documentation/saml-token-authentication.html

[MartinZJY]

Hi Doug,

I am following these steps:

1. openssl req -newkey rsa:2048 -x509 -days 365 -nodes -keyout k8s-vcp.key -out k8s-vcp.crt -subj "/C=US/ST=CA/L=SF/O=VMware/OU=CNA/CN=www.vmware.com"

2. ./govc sso.user.create -A -R Administrator -C "$(cat ~/key/k8s-vcp.crt)" k8s-vcp
   This completes fine

3. I am able to see this k8s-vcp user that I just created

./govc sso.user.id k8s-vcp
[email protected] groups=LicenseService.Administrators,ActAsUsers,Administrators,Everyone,SystemConfiguration.Administrators,SolutionUsers

But ./govc sso.user.ls only shows these four users:

K/M                                          
Administrator                                
waiter-50e2130e-2ac6-4dcb-a3d0-0dfeec46af95  
krbtgt/VSPHERE.LOCAL

I can't find my k8s-vcp account listed here.

4. Moving forward, I wanted to list datacenter info by using these cert and key files. However it failed:

./govc  datacenter.info -cert ~/key/k8s-vcp.crt -key ~/key/k8s-vcp.key              
./govc: NotAuthenticated

My goal is to generate the cert and key files locally and then acknowledge them with the remote vCenter so I can use these cert and key files with govc to perform some datacenter operations like listing datacenter info.

[dougm]

1-3 are fine, but for the next step you need to use session.login to issue a token and then use the token to login:

 % token=$(govc session.login -u $host -cert ~/key/k8s-vcp.crt -key ~/key/k8s-vcp.key -issue) 
 % govc session.login -u $host -cert ~/key/k8s-vcp.crt -key ~/key/k8s-vcp.key -token "$token"

After that, you'll have a cached session and all commands just need -u $host, e.g.

% govc datacenter.info -u $host

Or instead of -u $host, use export GOVC_URL=$host. Where $host is just the hostname or ip of your vCenter.

[MartinZJY]

Thanks Doug.

Two questions:
1)
I was able to run this successfully:
token=$(govc session.login -u $host -cert ~/key/k8s-vcp.crt -key ~/key/k8s-vcp.key -issue)

However, session login failed:
govc session.login -u $host -cert ~/key/k8s-vcp.crt -key ~/key/k8s-vcp.key -token "$token"
./govc: ServerFaultCode: Cannot complete login due to an incorrect user name or password.

I tried to run this session.login command with/without exporting GOVC_USERNAME and GOVC_PASSWORD. But both failed.

Another question is after creating sso user by:
./govc sso.user.id k8s-vcp

I am able to see this user via:
./govc sso.user.id k8s-vcp

But I can't see it from vCenter UI user section and ./govc sso.user.ls

Where is user k8s-vcp?

[dougm]

You do need to unset GOVC_USERNAME and GOVC_PASSWORD, $host needs to be just the hostname (without any username or password).

I don't think the UI displays solution users anywhere.

[MartinZJY]

Yes, I only have GOVC_USERNAME and GOVC_PASSWORD SET during the sso.user.create(we must have them set).
After that creation, I have both env variables UNSET.

xxx-dev:~/src/github.com/vmware/govmomi/govc$ echo $GOVC_USERNAME

xxx-dev:~/src/github.com/vmware/govmomi/govc$ echo $GOVC_PASSWORD

These two variables are empty.

xxx-dev:~/src/github.com/vmware/govmomi/govc$ export host="myvcenter-xxx.com"
xxx-dev:~/src/github.com/vmware/govmomi/govc$ token=$(./govc session.login -u $host -cert ~/key/k8s-vcp.crt -key ~/key/k8s-vcp.key -issue)

Till here, we are fine.

xxx-dev:~/src/github.com/vmware/govmomi/govc$ ./govc session.login -u $host -cert ~/key/k8s-vcp.crt -key ~/key/k8s-vcp.key -token "$token"
./govc: ServerFaultCode: Cannot complete login due to an incorrect user name or password.

We failed here.

[dougm]

Not sure, can you check the vCenter logs at /var/log/vmware/sso for hints?

[MartinZJY]

I was able to get it work in 6.5 and 7.0 vCenter. Don't know why it failed only with 6.7 vCenter.
But there are some issues:

1. After ./govc session.login -u $host -cert ~/key/k8s-vcp.crt -key ~/key/k8s-vcp.key -token "$token" completed. If we wait a few minutes, the session goes expire. We need to re-generate the token and login again(we can't just login without re-generating the token).

2. ./govc sso.user.create -A -R Administrator -C "$(cat ~/key/k8s-vcp.crt)" my_test_account
   We use this command above to create an account based on the crt file. But this account can't be seen in the vCenter user list(solution user section). This is a problem.
   Is it possible that instead of creating a new account, we can assign the crt file directly to our existing [email protected] account?

3. Go beyond the question Enum type related changes #2, if there's a client side application that keeps talking to vCenter. User only provides crt and key file at very beginning. Because the sso.user.create/update require user to provide username and password, it's not convenience. We want to get rid of asking user to provide login information, so they just need to give crt and key. How do we generate this kind of crt and key files based on the existing admin user?

Thanks for your help!

[dougm]

1. You can use the session.login -lifetime flag and/or -renew to extend the token lifetime.

2. I can't help with the UI. I don't know how to use token auth with existing non-solution user accounts.

3. You can use the env var GOVC_LOGIN_TOKEN with all govc sso.* commands to avoid username/password:

   govmomi/govc/sso/client.go

   Lines 41 to 44 in 94d4861

   	// SSO admin server has its own session manager, so the govc persisted session cookies cannot
   	// be used to authenticate. There is no SSO token persistence in govc yet, so just use an env
   	// var for now. If no GOVC_LOGIN_TOKEN is set, issue a new token.
   	token := os.Getenv("GOVC_LOGIN_TOKEN")

[dougm]

Closing as stale. Feel free to reopen if this is still an issue.

[SarathHewage]

Hi ,

I am following this link. My goal is to set up access to our vCenter using govc from one of our management Linux node without giving the password, so we can write the scripts to do the tasks
I followed the steps mentioned in this post:

export GOVC_URL=""
govc session.login - -cert ~/key/k8s-vcp.crt -key ~/key/k8s-vcp.key -issue

Getting this error now

govc: Post "https:///sdk": x509: certificate signed by unknown authority

How can resolve this issue?

Thanks in advance