Tanzu Operations Manager versions less than 2.7.30, 2.8.16, 2.9.18 and 2.10.9 did not correctly configure the BOSH DNS certificates to have a Subject Alternative Name field. Golang 1.17 and higher requires these fields on all certificates and BOSH DNS fails if updated to a version built with Golang 1.17 or higher if the certificates have not been updated

The steps provided here can be followed to verify all of your BOSH deployed VMs have been successfully updated with BOSH DNS certificates that have the Subject Alternative Name field.

SSH to the Tanzu Operations Manager VM by following these SSH instructions.

Target and authenticate the uaac cli by following these authentication instructions .

a.  Create a script in your home directory by pasting the following:

cat <<"EOF" > ~/check_bosh_dns_san_migration
#!/bin/bash
set -eo pipefail

HOSTNAME=${HOSTNAME:-localhost}

function delimiter() {
  color cyan "-------------------------------------------------------------"
}
function color(){

  NC='\033[0m'

  case $1 in
    cyan)
      COLOR='\033[0;36m'
    ;;
    green)
      COLOR='\033[0;32m'
    ;;
    red)
      COLOR='\033[0;31m'
    ;;
    yellow)
      COLOR='\033[1;33m'
    ;;
    orange)
      COLOR='\033[0;33m'
    ;;
    *)
      COLOR=$NC
    ;;
  esac

  echo -e "${COLOR}${2}${NC}"
}

function api_curl() {
  uaac curl -k https://$HOSTNAME$1 | sed -e '1,/RESPONSE BODY:/ d'
}

function main() {
  if [[ $(api_curl /api/v0/staged/products) ]]; then
    DATA_JSON=$( api_curl /api/v0/staged/products )
  else
    color red "Please authenticate against your Ops Manager VM using uaac prior to running this script"
    exit 1
  fi

  # Fixed Versions 2.7.30, 2.8.16, 2.9.18, and 2.10.9
  MIN_MAJOR=2
  declare -A MIN_PATCH=( ['2.7']=30 ['2.8']=16 ['2.9']=18 ['2.10']=9 )
  OM_VERSION=$( jq -r ". | map(select(.installation_name == \"p-bosh\")) | map(.product_version) | first" <<< $DATA_JSON | cut -f1 -d- )
  OM_MAJOR=$( cut -f1 -d. <<< ${OM_VERSION} )
  OM_MINOR=$( cut -f2 -d. <<< ${OM_VERSION} )
  OM_PATCH=$( cut -f3 -d. <<< ${OM_VERSION} )

  if [[ ${OM_PATCH} -lt ${MIN_PATCH[${OM_MAJOR}.${OM_MINOR}]} ]]; then
    echo -e "BOSH DNS SAN certificate migration is not available in the staged version of Ops Manager: $(color red ${OM_VERSION})"
    echo -e "You need to update to the following Ops Manager version (or higher): $(color red ${OM_MAJOR}.${OM_MINOR}.${MIN_PATCH[${OM_MAJOR}.${OM_MINOR}]})"

    exit 1
  fi

  color green "BOSH DNS SAN certificate migration is supported in the staged version of Ops Manager: ${OM_VERSION}"

  # Get Opsman Data
  CERTS=$( api_curl /api/v0/deployed/certificates | jq '.certificates' -r )
  DEPLOYMENTS=$( jq -r ". | map(select(.location == \"credhub\")) | map(.product_guid) | join(\"\\n\")" <<< $CERTS | sort | uniq )
  DEPLOYMENTS_WITH_SAN_MIGRATED=$( jq -r ". | map(select(.variable_path == \"/opsmgr/bosh_dns/san_migrated\")) | map(.product_guid) | join(\"\\n\")" <<< $CERTS | sort | uniq )

  DEPLOYMENTS_THAT_NEED_DEPLOYMENT=$( comm -23 <(echo -e "$DEPLOYMENTS") <(echo -e "$DEPLOYMENTS_WITH_SAN_MIGRATED") )

  if [[ "$DEPLOYMENTS_THAT_NEED_DEPLOYMENT" != "" ]]; then
    color red "The following deployments have not been migrated to have BOSH DNS certificates with SAN:"
    color red "$DEPLOYMENTS_THAT_NEED_DEPLOYMENT"
    echo ""
    color red "Redeploy these tiles and/or service instances to complete the migration."
    exit 1
  fi

  delimiter

  #Assuming only opsman native deployments on director. $filter contains product guids separated by '\|' (== OR) in grep. -v is inverse match. Leaving deployments that are not a product which should be only service instances.
  #
  for S in $(echo $DEPLOYMENTS); do
    echo -e "Checking Deployment: $(color green "$S")"

    # Multiple copies of one of the BOSH DNS certificates (other than the SAN migration cert) could indicate that they've had an unsuccessful
    # deploy, where some VMs have been migrated, but others have not.
    CERT_DATA=$( jq ". | map(select( .variable_path == \"/bosh_dns_health_server_tls\" and .product_guid == \"$S\" ))" <<< ${CERTS} )

    #Check if cert is present more than once.
    CERT_COUNT=$(jq ". | length" <<< $CERT_DATA)

    if [[ $CERT_COUNT -eq 1 ]]; then
      color=green
      LIST_SUCCESS="$LIST_SUCCESS\n${S}: passed checks"
    else
      color=red
      LIST_ERROR="${LIST_ERROR}\n${S}: has multiple versions of the BOSH DNS certificates. This can indicate that a deploy only partially succeeded. You will need to redeploy."
    fi
  done

  delimiter
  delimiter
 

  echo -e "SUMMARY

SUCCESS:`color green "$LIST_SUCCESS"`
ERROR:`color red "$LIST_ERROR"`
"
 

  delimiter
  if [[ -z "$LIST_ERROR" ]]; then
    color green "SUCCESS. The BOSH DNS SAN migration is already applied."
  else
    color red "ERROR. One or more deployments have not received the BOSH DNS SAN migration. Please check the errors above."
    exit 1
  fi
  delimiter
}

main
EOF
chmod +x ~/check_bosh_dns_san_migration

b. Run the script ~/check_bosh_dns_san_migration

If any deployments are listed under the "ERROR:" section of the output, those deployments will need to be redeployed to receive the correct BOSH DNS certificates.