5 Replies Latest reply on Nov 22, 2019 10:33 AM by rmav01

    vRA 8 - Issues Applying a Certificate

    rmav01 Enthusiast

      Hi all,

       

      I understand vRA 8 is very much in its beginnings, but figured it was worth a shot asking this with some of the other brave pioneers with the arrows in their backs out there.

       

      I deployed a simple vRA 8 environment in my lab and I'm trying to apply a new certificate to it. I added a wildcard certificate (with a proper public suffix) to LCM Locker, and the PEM I imported passed validations. I used this certificate to update the LCM instance itself, as well as the IDM instance with no issue. For the IDM instance I used the LCM workflow. I then tried to apply the certificate to the vRA environment via LCM but received the following error:

       

      com.vmware.vrealize.lcm.common.exception.EngineException: Failed to install vRA Certificate on hostname : testvra.lab.net

      at com.vmware.vrealize.lcm.plugin.core.vra80.task.VraVaInstallCertificateTask.execute(VraVaInstallCertificateTask.java:135)

      at com.vmware.vrealize.lcm.plugin.core.vra80.task.VraVaInstallCertificateTask.retry(VraVaInstallCertificateTask.java:220)

      at com.vmware.vrealize.lcm.automata.core.TaskThread.run(TaskThread.java:43)

      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)

      at java.lang.Thread.run(Thread.java:748)

       

      Did some digging and it appears the LCM workflow copies the PEM over to the /tmp directory on the vRA appliance and runs a command similar to:

       

      vracli certificate ingress --set /tmp/lcm-cert.pem --sha256 {value}

       

      I tried running this command while SSH'ed into the vRA appliance and got the following error:

       

      Certificate with sha256 sum: {value} have errors in section 'v3_extensions'["Unable to parse certifcate's ['v3_extensions']['critical'] section. "

       

      Popped open the cert and didn't see anything unusual:

       

       

      I've tried a couple other things such as deleting the critical section, creating a dedicated cert instead of a wildcard, and changing the hashing algorithm but to no effect. I'm thinking that this error might be a red herring, but not sure.

       

      Figured I'd ask to see if anyone else had any issues with theirs. If I stumble upon the answer, I'll update my thread.

        • 1. Re: vRA 8 - Issues Applying a Certificate
          GS21 Lurker

          I am facing the same issue. I have tried to run it direct on appliance SSH which does not work.

          I was able to apply the same cert using LCM to IDM but vra appliance does not accept it.

          • 2. Re: vRA 8 - Issues Applying a Certificate
            shawnmitchellbradley Novice

            The steps below work!

             

            Replace IDM certificate using LCM

             

            Run the "Retrust with IDM appliance" on the VRA environment details.

             

            Run these commands on one of the vra appliances:

             

            kubectl get secret tls cert-ingress --export -o yaml > backup.yaml

             

            kubectl delete secret tls cert-ingress -n ingress

             

            kubectl create secret tls cert-ingress -n ingress--cert=cert.pem --key=cert.key

             

            kubectl delete pod -n ingress --all

             

            kubectl get pod -n ingress

             

            ##  You will have to waiting to all of the pods to be ready, then your cert should be valid!

             

            Shawn

            1 person found this helpful
            • 3. Re: vRA 8 - Issues Applying a Certificate
              rmav01 Enthusiast

              Thank you for the write up Shawn!

               

              Tried this in my environment, and I was able to apply the certificate with the pem/key. Looked OK until I tried logging in and got this:

               

               

              Tried restarting the stack with:

               

              /opt/scripts/svc-stop.sh

              /opt/scripts/deploy.sh --onlyClean

              /opt/scripts/deploy.sh

               

              Which had the effect of reverting the certificate back to the self-signed one. So it looks like this change might not be permanent.

               

              I also tried running the LCM job again and it failed with the same error. Seems like this answer is close, and may work fully for others, so I marked your response as helpful.

              • 4. Re: vRA 8 - Issues Applying a Certificate
                vnenova Novice
                VMware Employees

                Hi,

                It looks like you have the problem described in this KB: https://kb.vmware.com/s/article/76089
                Just to point out that the command in step 6 has a parameter ‘force’ with 2 dashes in front of it.

                vracli certificate ingress --set stdin --force

                2 people found this helpful
                • 5. Re: vRA 8 - Issues Applying a Certificate
                  rmav01 Enthusiast

                  Just went through the KB steps listed and it worked! Thanks vnenova for the heads up on this!

                   

                  One thing I ran into that others might, depending on how you export your PFX... I got an error trying to go through these steps with an encrypted key. I got prompted to put in the password I used, but it ended up failing down the line when re-provisioning the containers. As a work around, I ended up using these two commands:

                   

                  openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes

                  openssl pkcs12 -in certname.pfx -nokeys -out cert.pem

                   

                  To generate the cert/key pems separately with the password I used to generate the pfx. Then I built the chain as specified in the KB, clicked "enter" where it prompted for password, and it worked.

                   

                  Appreciate the assistance with this! Glad VMware was able to give us a workaround, and hopefully we can use LCM to manage this in the future.

                   

                  MODS: Can you mark vnenova's  answer as correct? It appears I cannot since I made this a discussion versus a question. Thank you!