VMware Cloud Community
DonalB
Enthusiast
Enthusiast

Orchestrator and wildcard ssl weirdness

Hi,

Anyone used a wildcard ssl cert with latest release of vRO yet? I'm coming across a bit of weirdness and wondering if I've hit a bug or am doing something stupid (very possible!)

Background:

I've got a wildcard cert for my domain and I've used it for all of the vRA components in my environment and all's good. I'm setting up an external vRO to work with this vRA environment and trying to use the same wildcard cert (I'm a bit lazy me;-) )

Problems:

I followed the process to create a new jssecacerts at /etc/vco/app-server/security and imported the wildcard cert, set the alias to dunes and all looks good when I start up the vco server and the configurator

I then go about importing all the ssl certs I will need to register with the component registry of vRA. This is all good too. If i do a keytool -list on the jssecacerts I can see all the certs I;ve imported and the dunes aliased cert etc.

If i then restart the vco server I seem to be coming up on a newly generated self-signed cert that vRO has generated on restart ??

Running a keytool -list does indeed seem to show that my dunes cert has been changed but all of the certs that I had imported are still there. if I redo the delete dunes, import my wildcard and re-alias it to dunes and then restart everything looks good again until the next time I restart ....

Comments, suggestions welcome...

Cheers

DB

Reply
0 Kudos
2 Replies
Hazenet
Enthusiast
Enthusiast

I am running vRO 6.0.3, and I don't seem to have that problem.

I have a Wildcard certificate (similar use-case as yours), which I would like to use for both the VAMI (5480), the Configuration Interface (8283), the Web HTTPS (8281), the Client Communication (8286 and 8287) and acutally also for the "Server Package Signing Certificate" part of vRO.

I have got it to work with VAMI (5480), the Configuration Interface (8283) and the Web HTTPS (8281).

But when I connect using the Orchestrator Client, it sees the new Certificate. The CA (root certificate) and the CA Intermediate part of the certificate is trusted, but the actual Wildcard part is untrusted.

I am also have a hard time, figuring out how to use this Wildcard certificate for the "Server Package Signing Certificate".

So if you have gotten any of those parts working I would be happy to hear about that.

Reply
0 Kudos
DonalB
Enthusiast
Enthusiast

Mads,

Apologies, have only picked up this now. Have some of that working alright, I'll see can I dig out the details if you still need it?

Cheers

DB

Reply
0 Kudos