Configuring SAN certificates for vRA instances where the IaaS server domain names differ from the load balancer domain
book
Article ID: 301231
calendar_today
Updated On:
Products
VMware Aria Suite
Issue/Introduction
In some configurations the domain portion of the IaaS server's individual FQDNs differ from the load balancing FQDN. In such case, when generating the certificate for the web server role, the certificate should contain both the load balancing FQDN and the server's FQDNs as Subject Alternative Names.
On some occasions, a SAN certificate cannot be generated and a wildcard certificate representing only the domain of the load balancing FQDN must be used.
For Example:
vRealize Automation Appliance FQDN: appliance01.external.domain.com vRealize Automation Appliance LB FQDN: vra.external.domain.com vRealize Automation Web Server FQDN: web01.internal.domain.com vRealize Automation Web Server LB FQDN: web.external.domain.com Certificate Subject CN: *.external.domain.com
Environment
VMware vRealize Automation 7.x
Cause
The certificate used for Web Server load balancing should contain FQDNs of all the web servers present in the configuration as described. For more information, refer to Certificate Trust Requirements in a Distributed Deployment section of product documentation for VMware vRealize Automation 7.x
Resolution
This issue can be resolved by changing the Primary DNS Suffix of each Web server while preserving domain membership. While the proposed solution is assuming there is Microsoft Active Directory in use, it may successfully be applied against other LDAP solutions. For more information consult the documentation of your LDAP solution.
To resolve this issue:
Create DNS entries for each web server in the DNS zone responsible for the domain for which the certificate was issued
For example: web01.external.domain.com
If vRA Management Agents are installed on the web server machines, uninstall each one of them.
Edit the msDS-AllowedDNSSuffixes attribute in the domain object container in Active Directory so that it includes the domain the load balancing FQDN belongs to. For example: external.domain.com.
Confirm that the new Management Agent installations report to vRA appliances with updated FQDNs by either going to VAMI > Cluster or to the Installation Prerequisites page on the Installation Wizard.