VMware Cloud Community
khloh
Enthusiast
Enthusiast
‎11-07-2017 01:02 AM

vRealize Automation Agent fails after replacing with wild card certificates

We have a medium scale environment of 2 x vRA appliance, 2 x IaaS servers(web and manager), 2 x DEM servers. It was working fine till we replaced the certificates.

We replace the vRA appliance and IaaS servers with wild card certificates and things starts to fall apart. Typically the Agent status shows "down" and vCenter inventory/state also shows fail. The Networking and Security inventory is also missing as well.

Is wild card certificate supported?

0 Kudos
5 Replies
daphnissov
Immortal
Immortal
‎11-07-2017 04:07 AM

What version are you using? Describe your certs.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
khloh
Enthusiast
Enthusiast
‎11-07-2017 06:35 PM

Hi daphnissov,

We are using vRA version 7.3

The deployment was using the default self-signed certificate and was working fine.

Things start to fall apart after we replaced them with the wildcard cert.

Here is the detail of the certs (note: names have been changed for discussion purposes)

We login to the primary vRA appliance and on the Host Settings > Import

Provide the Key & certificate Chain

The detail of the wildcard cert for vRA appliance:

Issued to : *.example.com.my

Issued by : DigiCert SHA2 Secure Server CA

CN: *.example.com.my

SAN:

DNS=*.example.com.my

DNS=example.com.my

DNS=vra01.ext.example.com.my

DNS=vra02.ext.example.com.my

DNS=VIPvra.example.com.my

Certification path Digicert>Digicert SHA 2 Secure Server CA > *.example.com.my

After replacement, then we go to “Certificates” tab > IaaS Web > Import Certificate

The detail of the wildcard cert for IaaS Component Server:

Issued to : *.example.com.my

Issued by : DigiCert SHA2 Secure Server CA

CN: *.example.com.my

SAN:

DNS=*.example.com.my

DNS=example.com.my

DNS=iaas01.ext.example.com.my

DNS=iaas02.ext.example.com.my

DNS=VIPiaasweb.ext.example.com.my

DNS=VIPiaasmgr.ext.example.com.my

Certification path Digicert>Digicert SHA 2 Secure Server CA > *.example.com.my

Note: Since both component Web and Manager Service are installed on the same IaaS Server set, we import certificate for the IaaS Web only, as stated above. I don’t think we need to repeat the step above to import for Manager Service.

Tx!

0 Kudos
daphnissov
Immortal
Immortal
‎11-08-2017 06:14 AM

So what's working and not working after you replaced them?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
khloh
Enthusiast
Enthusiast
‎11-08-2017 07:21 PM

Though the import of the certificates does not shows any error and completed the process. However when were trying to design a blueprint, it seems that there is no compute resources (vcenter objects) available for selection. So we checked on the compute resources (Infrastructure>Compute Resources) and saw the Agent status for each of the vCenter cluster shows “down”. The Data collection also shows “failed”. Tried do manual sync, unsuccessful. Restart Agents also did not help.

Was wondering whether wildcard is supported for IaaS Component server as the from the vRealize Automation documentation, it is stated for vRA appliance but not mentioned for IaaS Component.

Attached screen shot shown from the documentation.

Or is my certificate entries not correct on the CN or SAN?

Preview file
68 KB
0 Kudos
daphnissov
Immortal
Immortal
‎11-09-2017 05:07 AM

Does the SAN not have the names of your DEMs and Agents? Can you post the Agent log to see where it fails?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos