Highlighted
Enthusiast
Enthusiast

vRA 8 - Issues Applying a Certificate

Hi all,

I understand vRA 8 is very much in its beginnings, but figured it was worth a shot asking this with some of the other brave pioneers with the arrows in their backs out there. Smiley Happy

I deployed a simple vRA 8 environment in my lab and I'm trying to apply a new certificate to it. I added a wildcard certificate (with a proper public suffix) to LCM Locker, and the PEM I imported passed validations. I used this certificate to update the LCM instance itself, as well as the IDM instance with no issue. For the IDM instance I used the LCM workflow. I then tried to apply the certificate to the vRA environment via LCM but received the following error:

com.vmware.vrealize.lcm.common.exception.EngineException: Failed to install vRA Certificate on hostname : testvra.lab.net

at com.vmware.vrealize.lcm.plugin.core.vra80.task.VraVaInstallCertificateTask.execute(VraVaInstallCertificateTask.java:135)

at com.vmware.vrealize.lcm.plugin.core.vra80.task.VraVaInstallCertificateTask.retry(VraVaInstallCertificateTask.java:220)

at com.vmware.vrealize.lcm.automata.core.TaskThread.run(TaskThread.java:43)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

at java.lang.Thread.run(Thread.java:748)

Did some digging and it appears the LCM workflow copies the PEM over to the /tmp directory on the vRA appliance and runs a command similar to:

vracli certificate ingress --set /tmp/lcm-cert.pem --sha256 {value}

I tried running this command while SSH'ed into the vRA appliance and got the following error:

Certificate with sha256 sum: {value} have errors in section 'v3_extensions'["Unable to parse certifcate's ['v3_extensions']['critical'] section. "

Popped open the cert and didn't see anything unusual:

pastedImage_8.png

I've tried a couple other things such as deleting the critical section, creating a dedicated cert instead of a wildcard, and changing the hashing algorithm but to no effect. I'm thinking that this error might be a red herring, but not sure.

Figured I'd ask to see if anyone else had any issues with theirs. If I stumble upon the answer, I'll update my thread.

6 Replies
Highlighted
Contributor
Contributor

I am facing the same issue. I have tried to run it direct on appliance SSH which does not work.

I was able to apply the same cert using LCM to IDM but vra appliance does not accept it.

0 Kudos
Highlighted
Contributor
Contributor

The steps below work!

Replace IDM certificate using LCM

Run the "Retrust with IDM appliance" on the VRA environment details.

Run these commands on one of the vra appliances:

kubectl get secret tls cert-ingress --export -o yaml > backup.yaml

kubectl delete secret tls cert-ingress -n ingress

kubectl create secret tls cert-ingress -n ingress--cert=cert.pem --key=cert.key

kubectl delete pod -n ingress --all

kubectl get pod -n ingress

##  You will have to waiting to all of the pods to be ready, then your cert should be valid!

Shawn

Highlighted
Enthusiast
Enthusiast

Thank you for the write up Shawn!

Tried this in my environment, and I was able to apply the certificate with the pem/key. Looked OK until I tried logging in and got this:

pastedImage_0.png

Tried restarting the stack with:

/opt/scripts/svc-stop.sh

/opt/scripts/deploy.sh --onlyClean

/opt/scripts/deploy.sh

Which had the effect of reverting the certificate back to the self-signed one. So it looks like this change might not be permanent.

I also tried running the LCM job again and it failed with the same error. Seems like this answer is close, and may work fully for others, so I marked your response as helpful.

0 Kudos
Highlighted
VMware Employee
VMware Employee

Hi,

It looks like you have the problem described in this KB: https://kb.vmware.com/s/article/76089
Just to point out that the command in step 6 has a parameter ‘force’ with 2 dashes in front of it.

vracli certificate ingress --set stdin --force

Highlighted
Enthusiast
Enthusiast

Just went through the KB steps listed and it worked! Thanks vnenova​ for the heads up on this!

One thing I ran into that others might, depending on how you export your PFX... I got an error trying to go through these steps with an encrypted key. I got prompted to put in the password I used, but it ended up failing down the line when re-provisioning the containers. As a work around, I ended up using these two commands:

openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

To generate the cert/key pems separately with the password I used to generate the pfx. Then I built the chain as specified in the KB, clicked "enter" where it prompted for password, and it worked.

Appreciate the assistance with this! Glad VMware was able to give us a workaround, and hopefully we can use LCM to manage this in the future.

MODS: Can you mark vnenova​'s  answer as correct? It appears I cannot since I made this a discussion versus a question. Thank you!

0 Kudos
Highlighted
Enthusiast
Enthusiast

Replace IDM certificate using LCM

Run the "Retrust with IDM appliance" on the VRA environment details.

Run these commands on one of the vra appliances:

kubectl get secret tls cert-ingress --export -o yaml > backup.yaml

This worked great, right until I needed re-run the "Retrust with IDM appliance."

At which point it reset all the certs while restarting the services, and then failed to come back up.

0 Kudos