Error LCMVRAVACONFIG590003 During Aria Automation Certificate Renewal Or HA Configuration

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Symptom 1:

The following error is seen while renewing the Aria Automation certificates or while trying to perform Day 2 actions ( such as Snapshots )
- Error Code: LCMVRAVACONFIG590003

Cluster initialization failed on VMware Aria Automation.
com.vmware.vrealize.lcm.common.exception.EngineException: VMware Aria Automation Initialize cluster failed after certificate install.at com.vmware.vrealize.lcm.plugin.core.vra80.task.VraVaInstallCertificateTask.execute(VraVaInstallCertificateTask.java:175)at com.vmware.vrealize.lcm.automata.core.TaskThread.run(TaskThread.java:62)at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)at java.base/java.lang.Thread.run(Unknown Source)

The identity-service-app pod would not initialize as shown below.

Symptom 2:

HA environment contains 3 nodes.
HA deployment fails on initialization step (stage 9) with the following error:

Issue - Error Code: LCMVRAVACONFIG590003
Cluster initialization failed on vRA.
vRA va initialize failed on : xxxx-xxxx-xxxx,
Please login to the vRA and check /var/log/deploy.log file for more information on failure. If its a vRA HA and to reset the load balancer, set the 'isLBRetry' to 'true' and enter a valid load balancer hostname.

In the install-rpms.log, vco-controlcenter-app.previous.log or in vco-controlcenter-app.log, you see similar to:

2020-06-19 18:13:33,993 [ERROR] Failed to create the initial configuration data. Reason: query did not return a unique result: 2; nested exception is javax.persistence.NonUniqueResultException: query did not return a unique result: 2
Failed to update database configuration with local changes.
java.lang.RuntimeException: Failed to create the initial configuration data.
at com.vmware.o11n.settings.proxies.DbConfigurationInitializator.run(DbConfigurationInitializator.java:53) ~[o11n-configuration-services-8.1.0.jar:?]
at com.vmware.o11n.cli.configuration.commands.sync.SyncLocalCommand.updateDbConfiguration(SyncLocalCommand.java:28) ~[o11n-commandline-configuration-8.1.0.jar:?]
at com.vmware.o11n.cli.configuration.commands.ConfigurationCommand.updateDbConfiguration(ConfigurationCommand.java:133) [o11n-commandline-configuration-8.1.0.jar:?]
at com.vmware.o11n.cli.configuration.commands.ConfigurationCommand.executeCmd(ConfigurationCommand.java:122) [o11n-commandline-configuration-8.1.0.jar:?]
at com.vmware.o11n.cli.configuration.ConfigurationCli.executeCommand(ConfigurationCli.java:123) [o11n-commandline-configuration-8.1.0.jar:?]
at com.vmware.o11n.cli.configuration.ConfigurationCli.main(ConfigurationCli.java:99) [o11n-commandline-configuration-8.1.0.jar:?]

Environment

VMware Aria Automation 8.x

Cause

Cause 1

The Aria Automation certificate renewal fails with LCMVRAVACONFIG590003 error because the identity-service-app pod does not initialize due to expired vIDM certificates.
This can be confirmed in the deploy.log file with the event "[2025-04-16 03:59:13] ERROR Release 'identity-service' in namespace 'prelude' failed to come up".

Cause 2

This issue occurs due to the Aria Automation installation through Aria Suite Lifecycle failing due to Aria Orchestrator pods restarting, causing a race condition in the Aria Orchestrator configuration manager.

Resolution

Solution for Symptom 1:

To check the vIDM certificate's expiration date in Chrome, navigate to the vIDM ui using the LB FQDN, click on the padlock icon (Not Secure) in the address bar, then click on "Certificate is Not Valid" and verify that the "Validity Period" section displays the expiration date.

Renew the vIDM certificates using the steps in the following KB Certificate Replacement for VMware Identity Manager deployed from Aria Suite Lifecycle.
Then resubmit the failed Aria Automation certificate failure request to continue with the certificate renewal, and this time the Aria Automation certificate should be renewed successfully.

Solution for Symptom 2:

SSH to the primary node.
Scale down vco-app deployment to zero pods:

kubectl -n prelude scale deployment vco-app --replicas=0

Connect to the database with:

vracli dev psql

Once logged into the database, switch the connection to the Aria Orchestrator database with:

\c vco-db

Execute this SQL command:

DELETE FROM vmo_vroconfiguration config1 USING vmo_vroconfiguration config2 WHERE config1.id < config2.id AND config1.actionid IS NOT NULL AND config1.actionid = config2.actionid;

Log out of psql

\q

Scale vco-app deployment to one replica and wait until the pod is in the running state and all its containers are ready before proceeding with the next step.

kubectl -n prelude scale deployment vco-app --replicas=1

Run /opt/scripts/deploy.sh