I had this message on one of my vCenter server appliances when I was going to run an update. I'm running my vCenter server in a linked mode in the lab. The messages says that “Appliance (OS) root password is expired“. In fact, just today I noticed that VMware just released a new update – VMware vCenter Server 6.7 Update 2g Build 13638625, so I wanted to update my VCSAs. There are some security patches which needs to be applied.
I could still log in to the management page of the appliance (via https://IP_of_vcsa:5480) and use the default [email protected] user and password instead, but once logged in, there is no UI or menu to change that root password within the VAMI user interface.
I had the other VCSA node updated with no problem, but this one did not want to update itself because of the message.
The only way is to go and use the console or SSH session to do so.
The VMware KB article says:
This issue occurs when VAMI is not able to change an expired root password. To resolve this issue, reset the root password from the vCenter Server Appliance command line: Connect to the vCenter Server Appliance with an SSH session and the root user credentials.
You can't update your VCSA without changing the password.
Here is the screenshot with the error.
So I went and changed the root password. Here are the steps.
Appliance (OS) root password is expired – vSphere 6.7 – The steps
Note: You can change the root password to the same one. You can also change the expired password to something else.
First, log in to the VCSA with your default SSO user and password you configured during the setup. In my case, I used the default one [email protected] one.
Then activate SSH access to the appliance.
You can check that in Access > Access Settings
Once done, fire up your Putty SSH session and log in as root (I assume you know your root login password).
Then type this:
shell
Run this command
passwd
You'll get a prompt to change the root password. Retype it once again and type “exit” twice. You're done.
Here is the screenshot from the lab.
In case you don't know your root password, follow the instructions in this VMware KB article for the reset of the root password or read more.
The steps to reset root password:
- Take a snapshot or backup of the vCenter Server Appliance 6.5 before proceeding. Do not skip this step.
- Reboot the vCenter Server Appliance
- After the OS starts, press e key to enter the GNU GRUB Edit Menu.
- Locate the line that begins with the word Linux.
- Append these entries to the end of the line:
rw init=/bin/bash
The line should look like the following screenshot:
Note that the above comes from VMware KB article.
Well, we're done. We can successfully stage and install the latest security bundle from VMware and stay protected.
I want to set the root password to Never Expire, where can I do that?
Well, it's simple. Now you have the root password being reset, just login to the VCSA appliance on the port 5480 and go to the Administration menu, where you can set the root password to never expire.
Final words
When installing patches or upgrades, do not forget to backup your VCSA. You can do either the appliance built-in backup (which in 6.7 can be scheduled) or you can use external software to backup your vCSA. In my case, I use Veeam in the lab, but any supported backup software can do the job.
While since some time VMware patches and updates seem to process quite well, one never knows. In the past, I had few surprises when I ended up with a VCSA in an unbootable state or with the impossibility to log in and I had to roll back. Having a proper backup can save you especially if you're in a production environment -:).
VMware vSphere 7.0 coverage on ESX Virtualization
- VMware vSphere 7.0 Announced – vCenter Server Details
- VMware vCenter Server 7.0 Profiles
- We saw ESXi 7.0 on ARM – Our post from VMworld Barcelona 2019.
- What is vCenter Server Update Planner? – vSphere 7.0
- VMware vCenter Server 7.0 Profiles
- What is vCenter Server Multi-Homing?
- VMware vSphere 7.0 – VM Template Check-in and Check-out and versioning
- VMware vSphere 7.0 DRS Improvements – What's New?
Also from ESX Virtualization
- VCP6.7-DCV Objective 7.5 – Configure role-based user management
- VCP6.7-DCV Objective 7.4 – Configure host security(Opens in a new browser tab)
- VCP6-DCV Objective 7.5 – Troubleshoot HA and DRS Configurations and Fault Tolerance(Opens in a new browser tab)
Stay tuned through RSS, and social media channels (Twitter, FB, YouTube)
We are planning on using Pam to manage and update our root password is this a good idea or will we run into issue’s
Thank you very much for this wonderful article! It made it so simple for me to update our expired password.