vRLI 8.x triggers certificate expiry email after replacing certificates from vRSLCM
search cancel

vRLI 8.x triggers certificate expiry email after replacing certificates from vRSLCM

book

Article ID: 315956

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
  • After replacing the Log Insight certificate from vRSLCM, Log Insight still triggers a warning for certificate expiry: Log Insight SSL Certificate will expire in -x days
  • In the vRSLCM logs /var/log/vmware/vmware_vrlcm.log, you see messages similar to:
2022-10-17 07:11:17.989 INFO [http-nio-8080-exec-7] c.v.v.l.l.c.CertificateStoreController - - - Starting certificate generation
2022-10-17 07:11:17.990 INFO [http-nio-8080-exec-7] c.v.v.l.l.s.p.CertificateStoreService - --   
Inside certificate store service
2022-10-17 07:11:18.422 ERROR [http-nio-8080-exec-7] c.v.v.l.l.c.CertificateStoreController - -- Failed to generate certificate.
com.vmware.vrealize.lcm.common.exceptions.InvalidCertificateException: Validations failed for certificate.

Environment

VMware vRealize Log Insight 8.x

Cause

This occurs if a certificate is issued from vRSLCM within 30 days of vRSLCM's root CA's expiry.

Resolution

To resolve this issue, please follow the below steps:
  1. Open an SSH session to the vRSLCM appliance as root and check the certificate by running the below commands

    /opt/vmware/vpostgres/11/bin/psql -U postgres -d vrlcm
    \x
    select * from vm_locker_certificate where alias = 'DEFAULT_LOCKER_CA';

  2. Using a utility such as WinSCP or FileZilla, copy the certificate you get from step1 and save it to your local desktop as .crt file.

  3. Check the certificate's expiration

  4. If the certificate is expired or about to expire within 30 days, replace the root certificate of vRSLCM before issuing a certificate to vRLI.

  5. To reload/replace the root CA certificate of vRSLCM, follow Rotate expired Locker certificate authority in vRealize Suite Lifecycle Manager

Additional Information