SDDC Manager precheck fails on vRLI Status or vRLI security check
search cancel

SDDC Manager precheck fails on vRLI Status or vRLI security check

book

Article ID: 314625

calendar_today

Updated On: 03-17-2025

Products

VMware Cloud Foundation VMware Aria Suite

Issue/Introduction

  • During upgrade of vRLI from SDDC Manager the following error(s) may be seen
    Description: Checks vRealize Log Insight health status
    Start Time: <DATE>
    End Time: <DATE>
    Health Status: Red
    Impact: High. An unexpected exception occurred during the precheck
    Remediation: Please review the vRealize Suite Lifecycle Manager logs for more details

     

  • During vRLI certificate replacement, the following error is seen:
    Description: Checks if the SDDC Manager has a secure connection to vRLI
    Start Time: <DATE>
    End Time: <DATE>
    Health Status: Red
    Error Description: The provided hostname <FQDN> is invalid or the SSL certificate for <FQDN> is not trusted. Pease ensure that resource has a valid certificate and the hostname matches the CN name or is specified in the SAN field.
    Impact: High. All managed resources must have valid certificates and be trusted by the SDDC Manager
    Remediation: Ensure that the resource has a valid certificate with either SAN or CN matching hostname and is issued by an entity trusted by the SDDC Manager

     

  • vRSLCM displays "Health check for product vRLI" in failed state with Error Code: UNKNOWN_LCM_ERROR 

Environment

VMware Cloud Foundation 4.x
vRealize Log Insight 8.x
vRealize Lifecycle Manager 8.x
Aria Operations for Logs 8.x
Aria Suite Lifecycle 8.x

Cause

  • The vRLI status error can be caused by an expired vRLI certificate. Verify if the cert is expired by running the following command:
    /usr/lib/loginsight/application/lib/apache-cassandra-*/bin/cqlsh -u user -p password --cqlshrc=/storage/core/loginsight/cidata/cassandra/config/cqlshrc


    Error message if certificate is expired:

    Connection Error: ('Unable to connect to any servers', {'127.0.0.1': PermissionError(1, "Tried connecting to [(127.0.0.1', 9042)]. Last error: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1076)")})

 

  • If the expired cert was replaced using a self-signed vRLI certificate, then the precheck will show the vRLI security check error. Verify if the vRSLCM Locker shows the same vRLI certificate fingerprint as the output for this command: 
    openssl s_client -connect <vRLI_FQDN:443> | openssl x509 -fingerprint -sha256 -noout -in /dev/stdin

Resolution

  1. Take a snapshot of vRSLCM and vRLI
  2. Replace the vRLI certificate through vRSLCM
  3. Complete an Inventory Sync for the vRLI environment by completing these steps:
    1. On the My services page, click Lifecycle operations.
    2. In the navigation pane, click Environments
    3. Click Trigger inventory sync
    4. In the navigation pane, click Requests and monitor for a successful completion
  4. Rerun the precheck from SDDC Manager