Remediate TLSProfiles Set API failures on VCHA Cluster
search cancel

Remediate TLSProfiles Set API failures on VCHA Cluster

book

Article ID: 311874

calendar_today

Updated On:

Products

VMware vCenter Server 8.0

Issue/Introduction

vCenter Server TLS Profiles Update Operation has special requirements on VCHA enabled setups. This article describes the different errors while applying the TLS Profiles using API on VCHA environment and how to remediate the errors. Following are the different type of errors :

  • Scenario 1:

    TLSProfiles Set API returns the error - TLS refresh is not allowed on unhealthy cluster

  • Scenario 2:

    TLSProfiles Set API returns the error - Updating TLS profile is allowed only when the cluster is running in maintenance/disabled mode

  • Scenario 3:

    TLSProfiles Set API works fine and generates a vim task. However, the task fails with following errors :

    TLS Profile refresh failed for vcha; Reason: <Exception Error Message>.
    Please refer /var/log/vmware/vcha/updateTLSProfiles.log for further details.

Environment

vCenter Server 8.0 U3

Resolution

Please follow below recommendations based on the error message :

  • Scenario 1:

    "TLS refresh is not allowed on unhealthy cluster"

    This error indicates that the VCHA cluster is in an unhealthy state. Debug the VCHA cluster to find the reason for that state.

    • If there is a node loss, connect to that node using SSH or VM Console and bring back the connectivity to ensure that a 3 node cluster is formed.
    • If there is a problem with VCHA replication, first consider fixing it to restore health, else consider changing the cluster mode to 'disabled' to bring it to a state where replication is stopped.

Once the cluster is healthy, try invoking the TLS Profile update again.

  • Scenario 2:

    "Updating TLS profile is allowed only when the cluster is running in maintenance/disabled mode"

    This indicates you are invoking the API on a cluster that is currently healthy and in enabled mode. This means automatic failover is possible. However, automatic failover is not desirable while performing appliance-wide changes like TLSProfile updates. So, "Edit" the cluster mode to maintenance/disabled mode to stop automatic failover.

    Steps can be found in Edit the vCenter HA Cluster Configuration

  • Scenario 3:

    TLSProfiles Set API works fine and generates a vim task. However, the task fails with these errors :

    "TLS Profile refresh failed for vcha; Reason: <Exception error message>"
    Please refer /var/log/vmware/vcha/updateTlsProfiles.log for further details "

    This log line is usually associated with a "Reason" segment that should help you understand the error. You can further refer to /var/log/vmware/vcha/updateTlsProfiles.log for full error details.

    This failure typically happens due to these reasons:
    • The VCHA service restart on one-or-more nodes failed. Please verify that the nodes are reachable and attempt restarting them manually if required.
    • Restart was successful, but VCHA cluster did not form after the restart. It typically takes a while for the VCHA nodes to start reconnecting after a restart. Please wait for them to settle and observe the progress on the VCHA UI before taking next steps.
    • If necessary, retry the operation by directly invoking this command on vcsa from an SSH session:

      /usr/lib/vmware-vcha/scripts/updateTLSProfiles.py vcha
Powered by Wolken Software