Remove Old or Unused Certificates from SDDC Manager
search cancel

Remove Old or Unused Certificates from SDDC Manager

book

Article ID: 316029

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware SDDC Manager

Issue/Introduction

  • Remove Old or Unused Certificates from SDDC Manager
  • SDDC Manager upgrade may fail and report the below error in /var/log/vmware/vcf/lcm/thirdparty/upgrades/########-####-####-####-########f2c8/sddcmanager-migration-app/logs/sddcmanager_migration_app_upgrade.log 
    ERROR [vcf_migration,0000000000000000,0000] [c.v.e.s.o.model.error.ErrorFactory,pool-5-thread-9]  [49931G] FAILED_TO_GET_SDDC_MANAGER_ACCESS_TOKEN Failed to get SDDC Manager public api access token
com.vmware.evo.sddc.orchestrator.exceptions.OrchTaskException: Failed to get SDDC Manager public api access token
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://sddc01.example.com/v1/tokens": PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Thu Mar 14 19:12:37 UTC 2024

 

Environment

VMware Cloud Foundation 4.5.1

Cause

Old or unused certificates are stored in a trust store.

 

Resolution

For VCF 4.x follow the below steps

  1. Take Snapshot of SDDC Manager
  2. ssh in to SDDC Manager with vcf account and su to root.
  3. Using the sddcmanager-ssl-util.sh script retrieve a list of the names of the certificates in the trust store. 
    /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager-ssl-util.sh -list | grep 'Alias name'
  4. Using the name of the certificate, delete the old or unused certificate. 
    /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager-ssl-util.sh -delete <certificate alias name from list>
  5. Restart all the SDDC Manager Services using the below command 
    /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

     

    Reference document - Remove Old or Unused Certificates from SDDC Manager 

For VCF 5.x follow the below steps

  1. Login to SDDC Manager UI with ADMIN role.
  2. In the navigation pane, click Developer CenterAPI Explorer
  3. Browse to and expand API CategoriesTrusted Certificates.
  4. Expand GET /v1/sddc-manager/trusted-certificates and click EXECUTE.
  5. In the Response, click TrustedCertificate and copy the alias for the certificate you want to remove.
  6. Expand DELETE /v1/sddc-manager/trusted-certificates/{alias}, enter the alias, and click EXECUTE.

    Sample
     

    Reference document - Remove Old or Unused Certificates from SDDC Manager 

 

Powered by Wolken Software