Hi all,
I understand vRA 8 is very much in its beginnings, but figured it was worth a shot asking this with some of the other brave pioneers with the arrows in their backs out there.
I deployed a simple vRA 8 environment in my lab and I'm trying to apply a new certificate to it. I added a wildcard certificate (with a proper public suffix) to LCM Locker, and the PEM I imported passed validations. I used this certificate to update the LCM instance itself, as well as the IDM instance with no issue. For the IDM instance I used the LCM workflow. I then tried to apply the certificate to the vRA environment via LCM but received the following error:
com.vmware.vrealize.lcm.common.exception.EngineException: Failed to install vRA Certificate on hostname : testvra.lab.net
at com.vmware.vrealize.lcm.plugin.core.vra80.task.VraVaInstallCertificateTask.execute(VraVaInstallCertificateTask.java:135)
at com.vmware.vrealize.lcm.plugin.core.vra80.task.VraVaInstallCertificateTask.retry(VraVaInstallCertificateTask.java:220)
at com.vmware.vrealize.lcm.automata.core.TaskThread.run(TaskThread.java:43)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Did some digging and it appears the LCM workflow copies the PEM over to the /tmp directory on the vRA appliance and runs a command similar to:
vracli certificate ingress --set /tmp/lcm-cert.pem --sha256 {value}
I tried running this command while SSH'ed into the vRA appliance and got the following error:
Certificate with sha256 sum: {value} have errors in section 'v3_extensions'["Unable to parse certifcate's ['v3_extensions']['critical'] section. "
Popped open the cert and didn't see anything unusual:
I've tried a couple other things such as deleting the critical section, creating a dedicated cert instead of a wildcard, and changing the hashing algorithm but to no effect. I'm thinking that this error might be a red herring, but not sure.
Figured I'd ask to see if anyone else had any issues with theirs. If I stumble upon the answer, I'll update my thread.
I am facing the same issue. I have tried to run it direct on appliance SSH which does not work.
I was able to apply the same cert using LCM to IDM but vra appliance does not accept it.
Replace IDM certificate using LCM
Run the "Retrust with IDM appliance" on the VRA environment details.
Run these commands on one of the vra appliances:
kubectl get secret tls cert-ingress --export -o yaml > backup.yaml
kubectl delete secret tls cert-ingress -n ingress
kubectl create secret tls cert-ingress -n ingress--cert=cert.pem --key=cert.key
kubectl delete pod -n ingress --all
kubectl get pod -n ingress
## You will have to waiting to all of the pods to be ready, then your cert should be valid!
Shawn
Thank you for the write up Shawn!
Tried this in my environment, and I was able to apply the certificate with the pem/key. Looked OK until I tried logging in and got this:
Tried restarting the stack with:
/opt/scripts/svc-stop.sh
/opt/scripts/deploy.sh --onlyClean
/opt/scripts/deploy.sh
Which had the effect of reverting the certificate back to the self-signed one. So it looks like this change might not be permanent.
I also tried running the LCM job again and it failed with the same error. Seems like this answer is close, and may work fully for others, so I marked your response as helpful.
Hi,
It looks like you have the problem described in this KB: https://kb.vmware.com/s/article/76089
Just to point out that the command in step 6 has a parameter ‘force’ with 2 dashes in front of it.
vracli certificate ingress --set stdin --force
Just went through the KB steps listed and it worked! Thanks vnenova for the heads up on this!
One thing I ran into that others might, depending on how you export your PFX... I got an error trying to go through these steps with an encrypted key. I got prompted to put in the password I used, but it ended up failing down the line when re-provisioning the containers. As a work around, I ended up using these two commands:
openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
To generate the cert/key pems separately with the password I used to generate the pfx. Then I built the chain as specified in the KB, clicked "enter" where it prompted for password, and it worked.
Appreciate the assistance with this! Glad VMware was able to give us a workaround, and hopefully we can use LCM to manage this in the future.
MODS: Can you mark vnenova's answer as correct? It appears I cannot since I made this a discussion versus a question. Thank you!
Replace IDM certificate using LCM
Run the "Retrust with IDM appliance" on the VRA environment details.
Run these commands on one of the vra appliances:
kubectl get secret tls cert-ingress --export -o yaml > backup.yaml
This worked great, right until I needed re-run the "Retrust with IDM appliance."
At which point it reset all the certs while restarting the services, and then failed to come back up.