vRLI 8.x triggers certificate expiry email after replacing certificates from vRSLCM
Article ID: 315956
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
- After replacing the Log Insight certificate from vRSLCM, Log Insight still triggers a warning for certificate expiry:
Log Insight SSL Certificate will expire in -x days - In the vRSLCM logs /var/log/vmware/vmware_vrlcm.log, you see messages similar to:
2022-10-17 07:11:17.989 INFO [http-nio-8080-exec-7] c.v.v.l.l.c.CertificateStoreController - - - Starting certificate generation2022-10-17 07:11:17.990 INFO [http-nio-8080-exec-7] c.v.v.l.l.s.p.CertificateStoreService - -- Inside certificate store service2022-10-17 07:11:18.422 ERROR [http-nio-8080-exec-7] c.v.v.l.l.c.CertificateStoreController - -- Failed to generate certificate.com.vmware.vrealize.lcm.common.exceptions.InvalidCertificateException: Validations failed for certificate.Environment
VMware vRealize Log Insight 8.x
Cause
This occurs if a certificate is issued from vRSLCM within 30 days of vRSLCM's root CA's expiry.
Resolution
To resolve this issue, please follow the below steps:
-
Open an SSH session to the vRSLCM appliance as root and check the certificate by running the below commands
/opt/vmware/vpostgres/11/bin/psql -U postgres -d vrlcm
\x
select * from vm_locker_certificate where alias = 'DEFAULT_LOCKER_CA'; -
Using a utility such as WinSCP or FileZilla, copy the certificate you get from step1 and save it to your local desktop as .crt file.
-
Check the certificate's expiration
-
If the certificate is expired or about to expire within 30 days, replace the root certificate of vRSLCM before issuing a certificate to vRLI.
-
To reload/replace the root CA certificate of vRSLCM, follow Rotate expired Locker certificate authority in vRealize Suite Lifecycle Manager
Additional Information
Feedback
Yes
No
Powered by
