VMware Cloud Foundation certificate validation precheck fails with an error message "Certificate validation is NOT enabled".
Article ID: 313328
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
UI precheck failure in task VMware Cloud Foundation certificate validation after a complete upgrade to release 4.4 or above in a brownfield Environment. Precheck fails with the error message "Certificate validation is NOT enabled".
Environment
VMware Cloud Foundation 4.4
Cause
When out-of-band upgrade is performed, such as, OOB upgrade to a Non BOM compliant version and/or inventory hasn't been updated post successful upgrade. In this case the flag might not be set by the LCM workflow since the upgrade was done out of LCM.
Resolution
Please follow the below mentioned steps:
- Check the below for the components for which OOB upgrade was done and update the flag. (Please take backup of sddc manager before doing the update)
- Check Whether the keys are there in known_hosts file(
/etc/vmware/vcf/commonsvcs/known_hosts,/home/vcf/.ssh/known_hosts). If not, please refer to Broadcom article How to update the SSH host keys on the SDDC Manager to add the keys using the fixHostkeys.py script. - Check whether the root CA is present in the truststore. If not please refer to Broadcom article How to add/delete Custom CA Certificates to SDDC Manager and Common Services trust stores to add it.
- Check whether the certificate for the resource has hostname matching CN or SAN.
- After completing the above steps, update the flag to true using the API from SDDC Manager. SDDC Manager UI > Developer Center > API Explorer
- Check Whether the keys are there in known_hosts file(
curl -X POST -H "Content-Type: application/json" -d '{"fipsMode":false,"certificateValidationEnabled":true}' http://localhost/appliancemanager/securitySettings
Feedback
Yes
No
Powered by
