SDDC Manager UI shows red banner for certificate expiration: "Certificates have expired. Visit Domain Management page to take action"
Article ID: 316055
Updated On:
Products
VMware Cloud Foundation
VMware Cloud Foundation 4.x
VMware Cloud Foundation 5.x
Issue/Introduction
- SDDC Manager UI shows shows expired certificates red banner even though none of the certificates are expired
- This issue is observed after renewing vCenter Server certificates directly from the vCenter Server.
- SDDC Workload Domains shows the Error message "<Workload Domain Name> has <Number of certs> expired certificate"
- SDDC manager logs contains errors similar to the excerpt below in /var/log/vmware/vcf/operationsmanager/operationsmanager.log :
- WARN [vcf_om,########,####] [o.h.e.jdbc.spi.SqlExceptionHelper,om-exec-11] SQL Error: 0, SQLState: 42P01
ERROR [vcf_om,########,####] [o.h.e.jdbc.spi.SqlExceptionHelper,om-exec-11] ERROR: relation "certificate_chain_expiry_seq" does not exist
Position: 16
YYYY-MM-DD ERROR [vcf_om,6809b360b1a4e#####3d567a1f4640,1b36] [c.v.v.c.s.e.UpdateCertificateExpiryService,om-exec-18] Failed to update the certificate expiry cache could not extract ResultSet [ERROR: relation "certificate_chain_expiry_seq" does not exist
Position: 16] [select nextval('certificate_chain_expiry_seq')]; SQL [select nextval('certificate_chain_expiry_seq')]
org.springframework.dao.InvalidDataAccessResourceUsageException: could not extract ResultSet [ERROR: relation "certificate_chain_expiry_seq" does not exist
Position: 16] [select nextval('certificate_chain_expiry_seq')]; SQL [select nextval('certificate_chain_expiry_seq')]
at org.springframework.orm.jpa.vendor.HibernateJpaDialect.convertHibernateAccessException(HibernateJpaDialect.java:256)
at org.springframework.orm.jpa.vendor.HibernateJpaDialect.translateExceptionIfPossible(HibernateJpaDialect.java:229)
at org.springframework.orm.jpa.AbstractEntityManagerFactoryBean.translateExceptionIfPossible(AbstractEntityManagerFactoryBean.java:550)
at org.springframework.dao.support.ChainedPersistenceExceptionTranslator.translateExceptionIfPossible(ChainedPersistenceExceptionTranslator.java:61)
at org.springframework.dao.support.DataAccessUtils.translateIfNecessary(DataAccessUtils.java:243)
at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:152)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
at org.springframework.data.jpa.repository.support.CrudMethodMetadataPostProcessor$CrudMethodMetadataPopulatingMethodInterceptor.invoke(CrudMethodMetadataPostProcessor.java:164)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:184)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:244)
at jdk.proxy2/jdk.proxy2.$Proxy208.save(Unknown Source)
[...]
Caused by: org.hibernate.exception.SQLGrammarException: could not extract ResultSet [ERROR: relation "certificate_chain_expiry_seq" does not exist
Position: 16] [select nextval('certificate_chain_expiry_seq')]
- WARN [vcf_om,########,####] [o.h.e.jdbc.spi.SqlExceptionHelper,om-exec-11] SQL Error: 0, SQLState: 42P01
Cause
After vCenter certificate renewal external to the SDDC Manager, the certificate chain and its new expiration is not updated in the SDDC Manager.
Resolution
A fix has been applied to SDDC manager version 5.2 and later.
As this issue requires database-level modifications, we recommend you submit a Support Request with Broadcom Support mentioning this KB 316055 for guided assistance in implementing the workaround safely.
Feedback
Yes
No
Powered by
