How to use SSH and SCP with VCSA
I was replacing some vCenter Server Appliance (VCSA) self-signed certificates with signed certs from an Active Directory Certificate Authority and I came across a minor issue that I wanted to document here. I was using the /usr/lib/vmware-vmca/bin/certificate-manager tool to generate the CSR, and then PSCP to download the CSR and hand it off to the security team.
When I first tried to use pscp to get the file, I encountered an error that I hadn't seen before:
Fatal: Received unexpected end-of-file from server
Some quick googling didn't turn up any hits on this issue, but I thought of something as I was poking around. When I connected to the VCSA via SSH, it didn't drop me to a BASH shell until I did the usual "shell.set --enabled True" "shell" operation that it prompts you with. Since PSCP (and SCP in general) is just establishing an SSH connection to the host and then doing a copy command, I figured that my issue was probably that the default root shell didn't understand how to deal with that copy command.
So, I followed the procedure to change the VCSA default shell to BASH, then tried it again. What do you know, it worked like a charm.
I didn't particularly want to change the default shell on every server in my linked VCSA ecosystem, so I did it on one of them and then used that box to aggregate all of my CSR files. On each host, after I generated the CSR, I used the following command to rename it and move it to my chosen aggregation host:
scp *.csr root@vcsa1.domain.local:/root/$(hostname).csr
After I gave it my password, it copied the generated CSR to the specified host (vcsa1.domain.local in this example), but renamed it to be based on the hostname of the system that generated the CSR. Then, I was able to download everything at once from my aggregation host via this command (from my Windows PC):
pscp root@vcsa1.domain.local:/root/*.csr .
And send it off to the security team to generate signed certificates for later import.
When I first tried to use pscp to get the file, I encountered an error that I hadn't seen before:
Fatal: Received unexpected end-of-file from server
Some quick googling didn't turn up any hits on this issue, but I thought of something as I was poking around. When I connected to the VCSA via SSH, it didn't drop me to a BASH shell until I did the usual "shell.set --enabled True" "shell" operation that it prompts you with. Since PSCP (and SCP in general) is just establishing an SSH connection to the host and then doing a copy command, I figured that my issue was probably that the default root shell didn't understand how to deal with that copy command.
So, I followed the procedure to change the VCSA default shell to BASH, then tried it again. What do you know, it worked like a charm.
I didn't particularly want to change the default shell on every server in my linked VCSA ecosystem, so I did it on one of them and then used that box to aggregate all of my CSR files. On each host, after I generated the CSR, I used the following command to rename it and move it to my chosen aggregation host:
scp *.csr root@vcsa1.domain.local:/root/$(hostname).csr
After I gave it my password, it copied the generated CSR to the specified host (vcsa1.domain.local in this example), but renamed it to be based on the hostname of the system that generated the CSR. Then, I was able to download everything at once from my aggregation host via this command (from my Windows PC):
pscp root@vcsa1.domain.local:/root/*.csr .
And send it off to the security team to generate signed certificates for later import.
Comments
Post a Comment
Sorry guys, I've been getting a lot of spam recently, so I've had to turn on comment moderation. I'll do my best to moderate them swiftly after they're submitted,