The pre-step is a safety net so that the changes made on the Vcenter during an certificate management operation are safely replicated to the Passive node of the VCHA cluster.
Certificate upgrade is a heavy operation that updates the VECS database, several services, and local files on vcsa. All of these changes are replicated asynchronously to the Passive node. To avoid situations where one of the Vcenter services goes down during this process, and the user ends up doing an automatic failover onto a passive node that has half baked information. To keep the replication ongoing but disable automatic failovers.
To resolve the issue, please follow the below mentioned steps:
Ensure VCHA cluster is healthy before performing the NDC operation. This ensures smooth replication to the Passive node during certificate upgrades.
Use VCHA "Maintenance Mode" to avoid automatic failover while continuing the replication process between the Active and Passive nodes.
In this mode users can still choose to perform a manual failover anytime.
Please find below the list of steps that need to be executed post executing "Machine SSL cert update and Trusted Roots Certificate updates":
On Active node backup server.crt and server.key in /storage/db/vpostgres_ssl
Execute this command: python /opt/vmware/vpostgres/current/share/python-modules/vpostgres/gencert.py --genAPIDbCert
Execute this command: psql -Upostgres -q -w -c "select pg_reload_conf();
Copy /storage/db/vpostgres_ssl/server.crt and /storage/db/vpostgres_ssl/server.key to same locations on Passive node
On Passive node execute this command: psql -Upostgres -q -w -c "select pg_reload_conf();