Upgrading vSphere ESXi Hosts (Including HP and Dell)

KB ID 0001343

Problem

Before you think about upgrading your hosts, you should upgrade your vCenter,

Upgrade vSphere vCenter Appliance

Assuming that’s all done, your task now is to upgrade your hosts, if you have a vanilla VMware ESXi version installed. You COULD simply SSH into the host, and execute the following commands;

[box]

esxcli network firewall ruleset set -e true -r httpClient
esxcli software profile install -p ESXi-6.5.0-20170702001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

[/box]

Well that’s great but if you are using a custom ESXi image, the process won’t even start, you simply get warned that this won’t work, as it will break all the vendor specific drivers/software, (which is a good thing I suppose, the warning I mean, not the breaking things!)

Still, if you have a vendor modified copy of ESX what do you do? Well the following procedures will work for any version of the software, either vanilla VMware or HP/Dell/IBM etc. AND IT RETAINS ALL THE HOST SETTINGS, i.e. licences, vSwitches (standard and distributed), certificates etc.

Solution 1: Use an ‘Offline Bundle’ update

Firstly, you need a copy of the appropriate ‘offline bundle’ update, below you can see this is the customised one for HPE servers.

Upload the offline bundle into a datastore, (that the host to be upgraded has access to!) While in here, shut down the guest VMs on this host, and put the host into ‘maintenance mode‘.

NOTE: If you are updating an HPE Server, there will be a gen-9 and a pre-gen-9 update bundle! Pick the correct one!

Or, you can upload the bundle via SCP into the appropriate datastore, if you prefer.

SSH into the host you are going to upgrade. Below you can see me navigating to the Datastore;

[box]

cd /vmfs/volumes
ls

[/box]

Enable SSH Access to VMware vSphere ESX

And there’s my offline bundle ready to be installed.

Remember: Even if you’re in the correct directory, you need to specify the ‘full path’ to the ‘offline bundle‘ (or it looks in the ‘/var/log’ directory and won’t work). Execute the following command;

[box]

esxcli software vib update -d /vmfs/volumes/{Datastore-Name}/VMWare-ESXi-6.5.0-Update2-9298722-HPE-preGen9-650.U2.9.6.8.3-Sept2018-depot.zip

[/box]

For a while it will look like nothing is happening, (don’t panic.) After a while a LOT of text will scroll past (quickly). Scroll back up to the TOP of all that text, and you are looking for, is ‘The update completed successfully‘.

Reboot the host.

Solution 2: Use VMware Update Manager

Warning: You CANT deploy an ESXi image, thats OLDER than the Update Manager you are running, i.e. if your vCenter is 6.5 you cant upload an ESX 6.0 image, (it will fail – this cost me two hours onsite!)

Warning 2: You need vCenter 6.0 Update1 or newer to perform this function.

I’ve got two hosts, one’s a Dell PowerEdge and the other a HP Proliant, I’ve already upgraded the HP server, you will see that in the screen shots below, now I’m going to upgrade the Dell.

Before Starting;

  • Download the install .ISO file that has the newer version of the ESXi software.
  • vMotion all the VM’s off the host being upgraded, (to save time).
  • If you have two hosts, (like me.) You might want to disable HA and DRS on the cluster as well temporarily!

Connect to vCenter > Home.

Update Manager.

Select the vCenter > Manage > ESXi Images > Import ESXi image.

Browse to the .iso file you downloaded and upload it to update manager.

After a short pause you should see the image appear, (Note: you can see the HP one I uploaded earlier) > Select the one to deploy > Create Baseline.

Give it a sensible name > OK.

Back in ‘Hosts and Clusters’ View > Select the Cluster > Update Manager > Attach Baseline.

Select your new one > OK.

Scan for updates > Select Upgrade Only > OK.

After a while, you will see your baseline saying ‘Non-Compliant‘ > Select it > Remediate.

Select the new baseline again > Next > Select the ‘Target Host’ to upgrade > Next > Accept the EULA > Next.

Next > Next.

Next > Finish.

Watch the task bar > Remediation will start > The host will go into Maintenance mode, get upgraded, reboot, and be taken out of maintenance mode.

Here you can see my host is now upgraded. (Mine’s an older server, it took about 45 minutes).

Note: If you disabled HA, DRS etc, you will want to re-enable that now.

 

Related Articles, References, Credits, or External Links

Upgrade vSphere vCenter Appliance to Version 6.5

VMware Upgrading the vSphere Virtual Center Appliance

VMware ESXi 5 – Applying Patches and Updates

Update VMware ESXi from 4.0 to 4.1

Upgrade ESX 3 to version 4.1.0

Cisco ASA 5500 – Using a Third Party Digital Certificate

(For Identification, AnyConnect, and SSL VPN)

KB ID 0000694

Problem

A client asked me how to do this, so off I went to the test bench to work it out.

Note: I’m this example In going to submit the request to, and issue the certificate from, my own windows domain certificate authority, you would send your request to a third party certificate authority, here’s a direct link to the certificate type you require. To use your own CA every client connecting to the ASA would need to trust this CA.

Solution

Certificates are date specific, so we need to make sure your firewall knows the correct date and time.

1. Connect to the ASA via ASDM > Configuration > Device Setup > System Time > Set the time and time zone correctly.

Note: As shown, from command line simply enter “show clock”.

2. Configuration > Device Management > Certificate Management > Identity Certificates > Add > New > Supply a key pair name > Generate Now.

Note: If using Digicert change the Key Size to 2048 or you will see this error, when you attempt to get your certificate.

Something is wrong
The CSR uses an unsupported key size, please generate a new CSR with a key size of at least 2048 bits
.

3. Select > Set each attribute, and add it one by one (as shown) > OK.

4. Advanced > Set the FQDN to the SAME name you entered for the CN in step 3 > OK > Add Certificate.

5. Choose a location to save the certificate request.

6. Locate and open the certificate request and it should look something like this.

Note: This is the information your certificate vendor will require.

7. Once your request had been processed the certification authority should send you a certificate. (Note: some vendors may send you a text file that you need to rename from filename.txt to filename.cer before it will look like this).

8. With the certificate open (as above) > Certificate path > Select the the Issuing Certificate Authority > Copy to File.

Note: You need to import the root certificates, and depending on the vendor, any intermediate certificates, I’ve shown an example from two major vendors to illustrate.

9. Select “Base-64 encoded…” > Next.

10. Save the cert somewhere you can find it.

11. Open it with notepad, and it should look like this > Select ALL the text.

12. Back at the ASDM > Configuration > Device Management > Certificate Management > CA Certificates > Add > Paste certificate in PEM format > Paste in the text > Install Certificate.

13. Repeat the process for any other RootCA or Intermediate Certificates. Then you will need to go back to step 8 and export the web certificate itself, (i.e. in this case select vpn.petenetlive.net and export that to file, and copy that from notepad to the clipboard).

14. Back in the ASDM this time you will need to install the Identity Certificate, (this is the one you paid for!) > Select the pending request from earlier > Install > Paste in the text > Install Certificate > Apply.

15. To enable the certificate on the outside interface > Configuration > Device Management > Advanced > SSL Settings > outside > Edit > Select the new one from the list > OK > Apply.

16. Note: If you were configuring your AnyConnect VPN’s later this is the point in the setup, where you would select the new certificate.

17. Make sure you can resolve the name that’s on the CN of your certificate and you can reach it from a client machine.

18. Now you should be able to connect without certificate warnings.

19. Don’t forget to save the settings on your ASA (File > Save Running Configuration to Flash).

Related Articles, References, Credits, or External Links

Securing Cisco SSL VPN’s with Certificates

Cisco ASA – Cannot Enable Third Party Certificate (9.4 and later)