There is a certificate that goes by the reference ".properties.syslog_selector.enabled.syslog_ca_cert" that may not rotate under any of the typical Tanzu rotation methods. This article covers how this certificate came to be and how to resolve its rotation.

This certificate is specific to the VMware Tanzu RabbitMQ for VMs tile.

Prior to RabbitMQ tile v1.20, there was a configurable "Custom CA Certificate" field within the syslog section of the tile properties.

For example, this what the field looks like in RabbitMQ tile v1.19.6:



When a CA Certificate is provided in that field, it is stored in Ops Manager with the reference ".properties.syslog_selector.enabled.syslog_ca_cert".

RabbitMQ tile v1.20 brought changes to syslog and this field was removed and marked as non-configurable. For more information, refer to Tanzu RabbitMQ® for VMs v1.20.0 for more information on these changes.

For example, this what the field looks like in RabbitMQ tile v1.20:



Notice how the label of the field has changed.

Whatever was configured in the "Custom CA Certificate" field prior to RabbitMQ v1.20 is "stuck" and is marked as non-configurable. There is no way to rotate it under normal procedures.

Letting ".properties.syslog_selector.enabled.syslog_ca_cert" expire should be harmless as it is no longer referenced. However because it is a certificate within OpsManager, it can make the expiring certificates banner appear and will remain until this certificate is resolved.



Until the RabbitMQ tile version is released containing the patch we can manually resolve this by editing the tile metadata to make this property configurable again and then setting its value to empty.

Product Version: 2.0

Summary

To resolve this certificate, we perform the following steps:

1. Edit RabbitMQ tile metadata to make this certificate configurable.
2. GET the properties for the RabbitMQ tile from Ops Manager API.
3. Set the value empty for the certificate in question.
4. PUT the edited properties for the RabbitMQ tile to Ops Manager API.
5. Apply Changes.

If you find that you would like assistance with this procedure, please open a Tanzu Support ticket and provide this article requesting assistance with this procedure. This is required because this procedure involves editing tile metadata.

This article uses a lab example to walk through the process. Be sure to substitute your values where necessary. For example, the Ops Manager URL in the API calls or the p-rabbitmq-GUID.

1. Edit RabbitMQ tile metadata to make this certificate configurable.

a. ssh onto the Ops Manager VM.

b. Become sudo with this command:

ubuntu@opsmgr-41-slot-59-###-#####-com:~$ sudo su -

c. cd to the metadata directory.

root@opsmgr-41-slot-59-##-#####-com:~# cd /var/tempest/workspaces/default/metadata

There will be .yml files in this directory that represent each tile. We need to find the most recent RabbitMQ .yml file containing the certificate in question by grepping for it.

root@opsmgr-41-slot-59-###-######-com:/var/tempest/workspaces/default/metadata# grep -r 'name: syslog_ca_cert' *
9c64ffdd5f4a.yml:    - name: syslog_ca_cert
a2abf0514ad1.yml:    - name: syslog_ca_cert

This tells us that 9c64ffdd5f4a.yml and a2abf0514ad1.yml contain the certificate for RabbitMQ. By looking at the first 3 lines of each file, we can confirm which file is for our current tile.

In this example, we have RabbitMQ tile v1.20.

root@opsmgr-41-slot-59-####-#####-com:/var/tempest/workspaces/default/metadata# cat 9c64ffdd5f4a.yml | head -3
---
name: p-rabbitmq
product_version: 1.19.6-build.41


root@opsmgr-41-slot-59-###-#####-com:/var/tempest/workspaces/default/metadata# cat a2abf0514ad1.yml | head -3
---
name: p-rabbitmq
product_version: 1.20.0-build.130

This confirms that file a2abf0514ad1.yml is the file we want to make the edit to as it is the newest RabbitMQ metadata.

d. Make a copy of this metadata file for safe keeping. 

root@opsmgr-41-slot-59-###-#####-com:/var/tempest/workspaces/default/metadata# cp a2abf0514ad1.yml /tmp/a2abf0514ad1-copy.yml

e. Open the metadata file, find the certificate, make it configurable, and then save the file.

Important: We only edit this one line in this file.

#BEFORE

    - name: syslog_ca_cert
      type: ca_certificate
      configurable: false
      optional: true
      freeze_on_deploy: false
      unique: false

#AFTER

    - name: syslog_ca_cert
      type: ca_certificate
      configurable: true
      optional: true
      freeze_on_deploy: false
      unique: false

".properties.syslog_selector.enabled.syslog_ca_cert" is now configurable.

f. cd into the /tmp directory.

root@opsmgr-41-slot-59-###-######-com:~# cd /tmp

2. Get the current properties for the RabbitMQ tile from Ops Manager.

a. Authenticate with OpsManager UAA  to obtain an access token and export it to an environment variable.

export UAA_ACCESS_TOKEN='token here'

b. Obtain the properties for the RabbitMQ tile and output into a file called rabbit-config.json.

root@opsmgr-41-slot-59-###-#####-com:/tmp# curl -k "https://opsmgr-41.slot-59.###.######.com/api/v0/staged/products/p-rabbitmq-28502ff1cce4273f3f5f/properties" \
>     -X GET \
>     -H "Authorization: Bearer $UAA_ACCESS_TOKEN" | jq . > rabbit-config.json

c. Make a copy of rabbit-config.json called rabbit-config-original.json for safe keeping.

root@opsmgr-41-slot-59-###-#####-com:/tmp# cp rabbit-config.json rabbit-config-original.json

3. Clear the value for the ".properties.syslog_selector.enabled.syslog_ca_cert" certificate.

a. Open rabbit-config.json and remove all properties except for ".properties.syslog_selector.enabled.syslog_ca_cert" and set the value empty (leave the double quotes).

This is how rabbit-config.json should look in it's entirety:

root@opsmgr-41-slot-59-###-#####-com:/tmp# cat rabbit-config.json
{
  "properties": {
    ".properties.syslog_selector.enabled.syslog_ca_cert": {
      "type": "ca_certificate",
      "configurable": true,
      "credential": false,
      "value": "",
      "optional": true
    }
  }
}

4. Put the edited property for the RabbitMQ tile back to Ops Manager.

The existing token from Step 2 will be used in this API call.

a. Put the properties for the RabbitMQ tile via Ops Manager API.

root@opsmgr-41-slot-59-pez-vmware-com:/tmp# curl -k "https://opsmgr-41.slot-59.###.#####.com/api/v0/staged/products/p-rabbitmq-28502ff1cce4273f3f5f/properties" \
>     -X PUT \
>     -H "Authorization: Bearer $UAA_ACCESS_TOKEN" \
>     -H "Content-Type: application/json" \
>     -d '@/tmp/rabbit-config.json'
{}

Notice the {} response - this indicates success.

Note only the properties in this rabbit-config.json file will be updated when we perform the PUT. All of the properties we removed from this file will remain unchanged in the tile.

5. Apply Changes to the RabbitMQ tile for the changes to take effect.