Unable to re-pair On-Premise site after updating certificates in VMware Cloud Director Availability 4.x
Article ID: 314974
Updated On:
Products
VMware Cloud Director
Issue/Introduction
- When re-pairing a Cloud Director Availability On-Premise appliance to a Cloud site, the task fails due to an SSL issue.
- This issue can occur after the certificates for the On-Premise or Cloud sites were updated.
- In the Cloud Director Availability On-Premises appliance, the /var/vmware/appliance_role file is blank.
- In the /opt/vmware/h4/replicator/log/replicator.log file on the On-Premises appliance, you see entries similar to:
2020-08-04 15:01:20.887 WARN - [59b53f21-####-####-####-########5eb] [health-check-5] c.v.h.r.services.ManagerConnector : Unable to reconnect to manager: 036b14ba-####-####-####-########bb1
2020-08-04 15:01:24.205 INFO - [ui-proxy_0e83c905-####-####-####-########472_Ba] [job-2] c.v.h4.replicator.job.onprem.PairJob : Re-pairing with cloud PairWithCloudRequest{apiUrl='https://###.200.200.200:443', thumbprint='SHA-256:93:4E:3F:76:##:EE:7D:55:78:D8:##:FA:57:B9:3E:1D:C9:A6:##:13:4B:34:2A:01:4B:3D:##:DA:B6:##:A4:45', requireOnpremAuth=false, orgUser='admin@myorg', orgPassword=(cencoserd), site='null', description='MySite', localUser='[email protected]', localPassword=(censored)} ..
2020-08-04 15:01:24.875 DEBUG - [ui-proxy_0e83c905-####-####-####-########472_Ba] [job-2] c.v.h4.replicator.job.onprem.PairJob : PairResponse from c4: VcenterPairResponse{pairingCookie='(censored)', apiUrl='https://tn-630b14ba-####-####-####-########cbb1.tnexus.io:8048/', certificate='<censored>', site='Cloud-Site', description='Cloud-Site', org='myorg', cloudId=d3833bfd-####-####-####-########b21, managerId=036b14ba-####-####-####-########bb1, tunnelAddress='##0.100.100.100', tunnelPort=443, tunnelCertificate='<censored>', replicatorIds=[c132f8ec-####-####-####-########5ab]}
2020-08-04 15:01:24.920 DEBUG - [ui-proxy_0e83c905-####-####-####-########472_Ba] [job-2] c.v.h4.common.tunnel.BasicTunnelMonitor : Connected to tunnel https://127.0.0.1:8047
2020-08-04 15:01:24.929 WARN - [ui-proxy_0e83c905-####-####-####-########472_Ba] [job-2] c.v.r.health.HealthCheckingFactory : Closing resource due to an onCreated handler failure
com.vmware.exception.GenericSSLException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
2020-08-04 15:01:24.205 INFO - [ui-proxy_0e83c905-####-####-####-########472_Ba] [job-2] c.v.h4.replicator.job.onprem.PairJob : Re-pairing with cloud PairWithCloudRequest{apiUrl='https://###.200.200.200:443', thumbprint='SHA-256:93:4E:3F:76:##:EE:7D:55:78:D8:##:FA:57:B9:3E:1D:C9:A6:##:13:4B:34:2A:01:4B:3D:##:DA:B6:##:A4:45', requireOnpremAuth=false, orgUser='admin@myorg', orgPassword=(cencoserd), site='null', description='MySite', localUser='[email protected]', localPassword=(censored)} ..
2020-08-04 15:01:24.875 DEBUG - [ui-proxy_0e83c905-####-####-####-########472_Ba] [job-2] c.v.h4.replicator.job.onprem.PairJob : PairResponse from c4: VcenterPairResponse{pairingCookie='(censored)', apiUrl='https://tn-630b14ba-####-####-####-########cbb1.tnexus.io:8048/', certificate='<censored>', site='Cloud-Site', description='Cloud-Site', org='myorg', cloudId=d3833bfd-####-####-####-########b21, managerId=036b14ba-####-####-####-########bb1, tunnelAddress='##0.100.100.100', tunnelPort=443, tunnelCertificate='<censored>', replicatorIds=[c132f8ec-####-####-####-########5ab]}
2020-08-04 15:01:24.920 DEBUG - [ui-proxy_0e83c905-####-####-####-########472_Ba] [job-2] c.v.h4.common.tunnel.BasicTunnelMonitor : Connected to tunnel https://127.0.0.1:8047
2020-08-04 15:01:24.929 WARN - [ui-proxy_0e83c905-####-####-####-########472_Ba] [job-2] c.v.r.health.HealthCheckingFactory : Closing resource due to an onCreated handler failure
com.vmware.exception.GenericSSLException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware Cloud Director Availability 4.x
Cause
This issue occurs when the role of the Cloud Director Availability On-Premise appliance is not configured correctly, so additional services are running and it is unable to re-establish the trust between the two sites.
Resolution
To resolve this issue, correctly set the role of the Cloud Director Availability On-Premise appliance.
- SSH to the On-Premises appliance and log in as root.
- Open the appliance_role file with a text editor:
/var/vmware/appliance_role
- Enter the following text with no whitespaces (i.e. tab stops, spaces, new lines, etc.) and save the file:
on_prem
- Reboot the appliance.
- Repair the site as per the instructions mentioned in Cloud Director Availability Documentation: Repair with the Remote Site.
Additional Information
For more information regarding certificate replacement in Cloud Director Availability 4.x, see Replace the SSL certificate of the appliance.
Feedback
Yes
No
Powered by
