Ops Manager 2.7 reporting expired legacy BOSH CA certificates after upgrading from Ops Manager 2.5 to 2.7
Article ID: 293663
Updated On:
Products
Operations Manager
Issue/Introduction
After performing a two-step upgrade from Ops Manager 2.5 to 2.7, Ops Manager started reporting the already expired legacy bosh_dns certificate authority (CA):
You see a banner in the Ops Manager UI for the certificates expiry. This can be confirmed by reviewing the certificates expiry using Ops Manager API endpoint.
These certificates are no longer used by BOSH and fully dropped in Ops Manager 2.6. Two reasons cause this issue:
"/dns_api_tls_ca" "/bosh_dns_health_tls_ca"
You see a banner in the Ops Manager UI for the certificates expiry. This can be confirmed by reviewing the certificates expiry using Ops Manager API endpoint.
Cause
These certificates are no longer used by BOSH and fully dropped in Ops Manager 2.6. Two reasons cause this issue:
- Upgrading from Ops Manager 2.5 to version 2.6 and immediately to version 2.7 does not give BOSH a chance to remove these certificate from all deployments.
- Ops Manager API for version 2.7 now reports much more details and now can see the older CA certificates for each deployment.
Environment
Product Version: 2.7
Resolution
Once the full upgrade to Ops Manager 2.7 is completed, perform Apply Changes to all the deployments again.
Feedback
Yes
No
Powered by
