Configuring SAN certificates for vRA instances where the IaaS server domain names differ from the load balancer domain
Article ID: 301231
Updated On:
Products
VMware Aria Suite
Issue/Introduction
In some configurations the domain portion of the IaaS server's individual FQDNs differ from the load balancing FQDN. In such case, when generating the certificate for the web server role, the certificate should contain both the load balancing FQDN and the server's FQDNs as Subject Alternative Names.
On some occasions, a SAN certificate cannot be generated and a wildcard certificate representing only the domain of the load balancing FQDN must be used.
For Example:
vRealize Automation Appliance FQDN: appliance01.external.domain.com
vRealize Automation Appliance LB FQDN: vra.external.domain.com
vRealize Automation Web Server FQDN: web01.internal.domain.com
vRealize Automation Web Server LB FQDN: web.external.domain.com
Certificate Subject CN: *.external.domain.com
For Example:
vRealize Automation Appliance FQDN: appliance01.external.domain.com
vRealize Automation Appliance LB FQDN: vra.external.domain.com
vRealize Automation Web Server FQDN: web01.internal.domain.com
vRealize Automation Web Server LB FQDN: web.external.domain.com
Certificate Subject CN: *.external.domain.com
Environment
VMware vRealize Automation 7.x
Cause
The certificate used for Web Server load balancing should contain FQDNs of all the web servers present in the configuration as described. For more information, refer to Certificate Trust Requirements in a Distributed Deployment section of product documentation for VMware vRealize Automation 7.x
Resolution
This issue can be resolved by changing the Primary DNS Suffix of each Web server while preserving domain membership. While the proposed solution is assuming there is Microsoft Active Directory in use, it may successfully be applied against other LDAP solutions. For more information consult the documentation of your LDAP solution.
To resolve this issue:
- Create DNS entries for each web server in the DNS zone responsible for the domain for which the certificate was issued
For example: web01.external.domain.com - If vRA Management Agents are installed on the web server machines, uninstall each one of them.
- Edit the msDS-AllowedDNSSuffixes attribute in the domain object container in Active Directory so that it includes the domain the load balancing FQDN belongs to. For example: external.domain.com.
For more information, see the Microsoft TechNet article Configure the Primary DNS Suffix for a client Computer.
- Change the DNS suffix search list to include the domain the load balancing FQDN belongs to. For example: external.domain.com.
For more information, see the Microsoft TechNet article Create a Disjoint Namespace .
- Change the default DNS Suffix of each Web server machine. For example: web01.external.domain.com
For more information, see the Microsoft TechNet article Configure the Primary DNS Suffix for a Client Computer.
- Install vRA Management Agent on each web server.
- Confirm that the new Management Agent installations report to vRA appliances with updated FQDNs by either going to VAMI > Cluster or to the Installation Prerequisites page on the Installation Wizard.
- Import the certificate for the Web role.
Additional Information
Feedback
Yes
No
Powered by
