Помогла вот эта статья и файлик
ls_ssltrust_fixer.py
Fixing SSL trust mismatch in lookup service registration using ls_ssltrust_fixer.py
________________________________________
Symptoms
1. Lookupservice registration has endpoint SSL trust certificate mismatch to actual node certificate.
Any situation leading to the procedure documented, see KB 2121701 or KB 78709 for 7.0
Purpose
The automated way of performing procedure documented in KB 2121701 or KB 78709 for 7.0
Resolution
****Please use the tool under the supervision of the PSC/SSL Team and/or Escalation Engineer****
NOTE:
1. The tool is applicable to only vSphere 6.x & 7.x. Partial upgrade state of 5.5 to 6.x is unsupported for this tool- 5.5 web client registration might change if fix used without validation.
2. Port 443 is hardcoded to retrieve machine SSL certificate, validate third-party registrations thoroughly
3. Current machine SSL certificate in use is collected using a live connection to the node, host not alive might impact the mismatch check.
Download the file attached to this article
Note:
For vCenter 6.0 and vCenter 6.5, Download "ls_ssltrust_fixer_p2.py" file and rename to "ls_ssltrust_fixer.py"
For vCenter 6.7, Download "ls_ssltrust_fixer_p3.py" file and rename to "ls_ssltrust_fixer.py"
For vCenter 7.0, Download "ls_ssltrust_fixer_p3_70.py" file and rename to "ls_ssltrust_fixer.py"
Copy the file to lstool scripts folder.
For vCSA :
vCenter 6.x - /usr/lib/vmidentity/tools/scripts
vCenter 7.x - /usr/lib/vmware-lookupsvc/tools
For Windows
vCenter 6.x - C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts
Change directory to the above path and perform a mismatch scan
For vCSA:
python ls_ssltrust_fixer.py -f scan
For Windows: "%VMWARE_PYTHON_BIN%" ls_ssltrust_fixer.py -f scan
IMPORTANT: Thoroughly validate the mismatches identified using spec files and cert files created in the log location:
For vCSA: /var/log/ls_ssltrust_fixer/
For Windows : C:\ProgramData\VMware\vCenterServer\logs\ls_ssltrust_fixer
File naming convention:
Current registration spec files: <service ID> ( 5.5 registrations with <site ID:ID> format are neutralized to <site.ID> format)
Current certificate in use: <service ID>newCert
Modified spec to reregister: <service ID>newSpec
A good procedure to validate the mismatches is this:
Run the following command to get the entire directory:
vCenter 6.x - /usr/lib/vmidentity/tools/scripts/lstool.py list --url https://localhost/lookupservice/sdk --no-check-cert > /tmp/certs.txt
vCenter 7.x - /usr/lib/vmware-lookupsvc/tools/lstool.py list --url
https://localhost/lookupservice/sdk --no-check-cert > /tmp/certs.txt
Have the certs.txt file open in one window and the mismatchIDs file in another window for comparison.
Looking at each entry in mismatchIDs, ensure that the matching service ID found in certs.txt is referencing the correct PSC/VC node according to the URL entry.
If you have are any questions regarding any mismatchID items, consult an escalation engineer for assistance.
IMPORTANT: Remove the service IDs which are not intended to be updated post reviewing the spec files from the mismatchIDs file located in log location
Perform Fix using the command - Only Service IDs found in mismatchIDs file will be used in fix workflow (Try to group service IDs based on PSC/VC nodes and perform fix one by one in complicated environment) :
For vCSA:
python ls_ssltrust_fixer.py -f fix
For Windows: "%VMWARE_PYTHON_BIN%" ls_ssltrust_fixer.py -f fix
