连接 vddk 服务时需要提供 thumbprint 参数才能成功连接,否则报错:
Log: 2017-11-23 10:23:04VixDiskLib: A thumbprint is required for SSL certificate validation. vixDiskLib.c line 2561
Log: 2017-11-23 10:23:04VixDiskLib: VixDiskLib_Connect: Failed to allocate connection.
Error 3 (One of the parameters was invalid) at 4039.
Thrift: Thu Nov 23 10:23:04 2017 [ERROR] task->run() raised an unknown exception
或者如果提供的 thumbprint 不正确:
Unable to verify the authenticity of the specified host. The SHA1 thumbprint of the cerificate is:
XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
下面提供获取 thumbprint 字符串的三种方式,其中前两种获取的是主机证书,需间接生成相应的 thumbprint。
1. 直接使用 URL 方式获取证书
在浏览器地址栏直接输入如下的 URL,回车后会弹出 ESXi 服务器用户名、密码提示框,成功验证后,会在浏览器界面输出主机证书。
https://192.168.1.xxx/host/ssl_cert
-----BEGIN CERTIFICATE-----
MIID8jCCAtqgAwIBAgIHAKlNwVk6VDANBgkqhkiG9w0BAQsFADAbMRkwFwYDVQQK
ExBWTXdhcmUgSW5zdGFsbGVyMB4XDTE3MDYwMjA3MDAxNFoXDTI4MTIwMTA3MDAx
NFowgfoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQH
EwlQYWxvIEFsdG8xFDASBgNVBAoTC1ZNd2FyZSwgSW5jMS4wLAYDVQQLEyVWTXdh
cmUgRVNYIFNlcnZlciBEZWZhdWx0IENlcnRpZmljYXRlMSowKAYJKoZIhvcNAQkB
Fhtzc2wtY2VydGlmaWNhdGVzQHZtd2FyZS5jb20xHjAcBgNVBAMTFWxvY2FsaG9z
dC5sb2NhbGRvbWFpbjEwMC4GCSqGSIb3DQEJAhMhMTQ5NjM4NjgxNCw1NjRkNzc2
MTcyNjUyMDQ5NmU2MzJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qyEZkKgZDfj04z3NLmQOuX4OAbbNHZYztU1Hp0C53fPS66cLVBvn0nKuk4PvNIZl
5dYcPBR+ifFrynM3z4dA7GXvHtCmSXnhdO7tyF8YxQkAHC4NcmKUcpwQ7B3lDtMf
eDO86IcX1nAMLjHXRDDppQOZAQg33SWne9uEbFPKTLZuvplhbE4JbBmRjdn39XfG
i2cL/QIN9XvxGmJluPI9DPlD3ijC83SgARRq8euL8ZSQiJRniy+iRnbxw6pMdR0K
ac+dqC13UBabVtFaveZdHY27w7foetG4weLqfx/9Qosl3re7cOKiLez/IQXHjo+i
qs/a63HXf5tSE4CevEE3IwIDAQABo1swWTAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE
sDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwIAYDVR0RBBkwF4IVbG9j
YWxob3N0LmxvY2FsZG9tYWluMA0GCSqGSIb3DQEBCwUAA4IBAQBlUL1d71h3S8DP
Tpz0FnfWlMd2dtuqnRtGvQz09nhCwQ2AUJv5mgcM34SuVM2HwyVl7MQwBc2s3dZg
gz+G6q5btKF9BQrheDxgfzKQrEO3mY11jh7+HREIR2usfoI5IPAoSBsmy/zbtkvr
2RZAjf/DTCW4uuIF0v0uU7V5Y5oFqetRH4yM3euPzWfaxEEeBxVV/UqiZyw306oo
n7C4JobuZH2Ht5kklunG9jMmigDLjAXoyXMP/eWRHc9p4pMUfypI8Pdz2l9mS+oC
abcdefffffdfdf2SkBj6Wf4+NPIe3OzL42YqCtK7YY+EW1GBZGAia6aYYa1hpTB/53
41zp9DyZ
-----END CERTIFICATE-----
有了 certificate,可以通过下面的第三中命令行(如 keytool)方法,或者编程生成 thumbprint,参考 stackoverflow 的 这篇 Q&A ,其代码如下:
import javax.xml.bind.DatatypeConverter;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
public final class X509 {
public static void main(String[] args)
throws FileNotFoundException, CertificateException, NoSuchAlgorithmException {
FileInputStream is = new FileInputStream(args[]);
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(is);
String thumbprint = getThumbprint(cert);
System.out.println(thumbprint);
}
private static String getThumbprint(X509Certificate cert)
throws NoSuchAlgorithmException, CertificateEncodingException {
MessageDigest md = MessageDigest.getInstance("SHA-1");
byte[] der = cert.getEncoded();
md.update(der);
byte[] digest = md.digest();
String digestHex = DatatypeConverter.printHexBinary(digest);
return digestHex.toLowerCase();
}
}
2. 根据 MOB/vSphere APIs 获取证书
使用 MOB(托管对象浏览器)检索证书信息,在浏览器地址栏输入下面的地址(其搜索路径为 ServiceInstance-> content -> ha-folder-root -> ha-datacenter -> ha-folder-host -> ha-compute-res -> ha-host -> config):
https://.xxx/mob/?moid=ha-host&doPath=config
该地址进入的是 ESXi 主机配置信息对象 HostConfigInfo 的界面,里面有个 certificate 属性,如下图:
如上图,该 certificate 是一个十进制的字节数组,不像第一种方法获取的值那么直观,但可以将该数组转为第一种方法的那种形式,详见另篇根据 MOB/vSphere APIs 获取 ESXi 服务器证书。
3. 通过 SSH 使用 OpenSSL 命令
通过 SSH 连接到 ESXi 服务器(内核为 linux),使用 OpenSSL 命令获取 thumbprint,在服务器的 /etc/vmware/ssl/rui.crt 文件中包含了与第一种方法所获取的一样的内容。获取命令如下:
# openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout -fingerprint
SHA1 Fingerprint=EA::C4:B3::E:E::E7:E:C4:CE::::AC:CF:E5:A7:
另外,如果只需要获取值,尤其是在程序中执行命令获取时,不想要“ SHA1 Fingerprint=”这些字符,可以用如下的截取命令:
# openssl x509 -sha1 -in /etc/vmware/ssl/rui.crt -noout -fingerprint | cut -d '=' -f 2
EA::C4:B3::E:E::E7:E:C4:CE::::AC:CF:E5:A7:
参考:
Three Ways to Get Certificate and Thumbprint from ESXi
![2021阿里云Web主机安装SSL证书(Apache)[图]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)