VMware Cloud Community
skoch
Enthusiast
Enthusiast

vRA 7 IaaS Manager service manual certificate replacement

Does anyone have the steps to manually replace the IaaS Manager service certificates in vRA 7.0.1? The VAMI is not allowing us to replace the certificates, so we need to bind the correct certs manually. Unfortunately, it appears that in vRA 7 VMware moved away from using the IIS Manager so we're unable to figure out how.

Thanks in advance!

Tags (2)
Reply
0 Kudos
6 Replies
darrenoid
Enthusiast
Enthusiast

Hello Skoch,

I ran into something similar. There are no updated instructions for vRA 7 on how to do that manually. You can try following the steps provided for vRA 6, but I would recommend trying to resolve the issue with the VAMI. For me I was able to get the VAMI to work after I manually added the certificates to the Local Computer "Trusted People" certificate store on the IaaS machine. VMware only shows the VAMI steps, so they are not providing a method to manually install officially. If it doesn't work then they should be able to help you if you open a support request.

Previous post I found for my issue: vRA 7 certificate replacement error

Updating IaaS  Manager certificates in 7: vRealize Automation 7.0

Manual Instructions for 6: Generating Certificates for vCAC 6 IaaS Web Server & Manager Service

Regards,

Darrenoid

Reply
0 Kudos
GrantOrchardVMw
Commander
Commander

Actually, it's still using IIS Manager.

The issue you're seeing is because the certificate you want to import isn't in the "Trusted People" keystore. Drop it in there manually and then try it from the VAMI again.

This problem is fixed in 7.1.

Grant http://grantorchard.com
Reply
0 Kudos
skoch
Enthusiast
Enthusiast

The cert had been added to the Trusted People keystore before attempting the change. I double checked in both the customer's environment and our ATC environment and neither have IIS or the IIS Manager installed on the IaaS Manager servers. Can you confirm that these should be installed in a distributed environemnt where the IaaS Manager is separate from the IaaS Web servers?

We do have a support request open with VMware however they escalated it to engineering almost immediately so due to time constraints we decided to scrap the environment and rebuild.

Reply
0 Kudos
GrantOrchardVMw
Commander
Commander

Ah, it's split out? My bad on the assumption. You're correct that the IIS Manager won't be on a standalone Manager Service server.

I haven't dealt with a completely distributed deployment in a while now, so need to go validate the behaviour as I'm a little hazy on the details.

Out of curiosity, how large is this environment? That architecture is only recommended for more than 30k managed machines.

Grant http://grantorchard.com
Reply
0 Kudos
GrantOrchardVMw
Commander
Commander

Ok - bit of an update here. I was able to deploy a standalone manager service node and update the cert without issue.

What is the error message that you are seeing?

If you prefer to not discuss the details on a public forum, drop me a note - first initial lastname at vmware dot com.

Grant http://grantorchard.com
Reply
0 Kudos
FerrerDeCouto
Commander
Commander

Hi,

I'm facing the same issue. I could trigger the update of the Manager Service certificate just the first time. It failed in the last step because I didn't have the certs in the Trusted People store, now I cannot trigger it any more. Even I cannot trigger the update of the Web Server certificates, just the "Reinitiate Trust" option but it doesn't solve anything.

error.png

How can I trigger manually this process or fix the last two steps?

Regards,

Jose

José Luis Gómez Ferrer de Couto Founder of PiPo e2H Blog: http://blog.e2h.net Si encuentras que esta o cualquier otra respuesta fue de utilidad, por favor da el voto. Gracias. If you find this or any other answer useful, please consider awarding points. Thank you.
Reply
0 Kudos