TCA – Regenerate the Self-Signed Certificates on ESXi Hosts as required by Cloudbuilder 4.2
book
Article ID: 314244
calendar_today
Updated On:
Products
VMwareVMware Telco Cloud Automation
Issue/Introduction
Provide a method to regenerate self-signed certificates on all ESXi hosts.
Symptoms: Domain deployment using TCA 1.9 will fail at sub-task “Create New Local ESXi User”. As of TCA 1.9 all self-signed certificates need to be recreated before provisioning domains via Automated Infrastructure due to a change in behavior of VMware Cloudbuilder 4.2 which is used by TCA 1.9.
Environment
VMware Telco Cloud Automation 1.9
Cause
A change in behavior in VMware Cloudbuilder 4.2 which is used by TCA 1.9. After configuring the ESXi hosts' identity by providing a hostname, Cloudbuilder 4.2 mandates the user to regenerate the self-signed certificate to ensure the correct common name is defined.
Resolution
The following steps can be followed to regenerate the self-signed certificates on the ESXi hosts used to provision domains via TCA Automated Infrastructure.
The original procedure is documented in the VMware Cloud Foundation Deployment Guide. After installing ESXi and having configured the ESXi hosts' identity by providing a hostname you must regenerate the self-signed certificate to ensure the correct common name is defined.
During the installation of ESXi, the installer generates a self-signed certificate for each ESXi host but the process is performed prior to the ESXi identity being configured. This means all ESXi hosts have a common name in their self-signed certificate of localhost.localdomain. All communication between VMware Cloud Builder and the ESXi hosts is performed securely over HTTPS and as a result it validates the identify when making a connection by comparing the common name of the certificate against the FQDN provided within the VMware Cloud Builder configuration file.
To ensure that the connection attempts and validation does not fail, you must manually regenerate the self-signed certificate after hostname has been configured.
Note: VMware Cloud Foundation supports the use of signed certificates. If your organization's security policy mandates that all ESXi hosts must be configured with a CA-signed certificate, see Configure ESXi Hosts with Signed Certificates.
Procedure
Log in to the ESXi host using an SSH client such as Putty.
Regenerate the self-signed certificate by executing the following command:
/sbin/generate-certificates
Restart the hostd and vpxa services by executing the following command: