Adding vRealize Operations Manager to the Skyline Collector fails with an error: "Certificate has expired. Please try a different configuration"
Article ID: 318540
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
Configuring vRealize Operations Manager on Skyline Collector fails with error: “Certificate has expired. Please try a different configuration”.
Configuring vRealize Operations Manager on Skyline Collector fails with error: “Certificate has expired. Please try a different configuration”.
Environment
VMware Skyline Collector Appliance 2.x
Cause
This issue occurs after the Skyline Collector has been auto updated. Previous versions of the Skyline Collector enforced a valid certificate chain. If there are multiple certificates within the PEM file for vROps and if any old certificates are present, “the Skyline Collector will reject adding vRealize Operations Manager.
Validate vROps Certificates by executing the following command:
When connecting to vROps using openssl, we see an expired certificate.
Connect to the Skyline virtual machine collector console and execute the bellow command:
Found a cert had expired in the vROPs default certificate chain
Validate vROps Certificates by executing the following command:
/bin/grep -E --color=always -B1 'java.security.cert.CertPathValidatorException: validity check failed|java.security.cert.CertificateExpiredException' $ALIVE_BASE/user/log/*.log | /usr/bin/tail -20
Output containing a valid certificateWhen connecting to vROps using openssl, we see an expired certificate.
Connect to the Skyline virtual machine collector console and execute the bellow command:
openssl s_client -connect {VROPS_HOST_ADDRESS}:443 -showcerts
Where VROPS_HOST_ADDRESS is the same address you've used to configure vROPS.
Where VROPS_HOST_ADDRESS is the same address you've used to configure vROPS.
Found a cert had expired in the vROPs default certificate chain
Thumbprint: F4:D8:0D:24:31:8B:DA:0E:B9:B9:BF:D2:8B:31:41:75:51:34:7F:CA
Subject Alternate Name: localhost,127.0.0.1
PublicKey Algorithm: RSA
Valid From: 2015-04-14T15:20:02.000Z
Valid To: 2020-04-13T15:20:02.000Z
Subject Alternate Name: localhost,127.0.0.1
PublicKey Algorithm: RSA
Valid From: 2015-04-14T15:20:02.000Z
Valid To: 2020-04-13T15:20:02.000Z
Resolution
This issue is resolved on the VMware Skyline Collector 2.6.0.0
Workaround:
Remove the old certificates from vRealize Operations.
Workaround:
Remove the old certificates from vRealize Operations.
- Log into the Primary Node as root via SSH or Console by pressing ALT+F1 within the Console to log in.
- Run this command to back up the cacert.pem file:
cp /data/vcops/user/conf/ssl/cacert.pem /data/vcops/user/conf/ssl/cacert.pem.bak
- Open /data/vcops/user/conf/ssl/cacert.pem in a text editor.
Example: vi /data/vcops/user/conf/ssl/cacert.pem
- The certificates are listed with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- at the beginning and end of the certificate, respectively. Please remove all expired certificates (which is mostly the last two in the list).
Note: This may only leave one cert in the chain; this is to be expected.
- Restart the web services by running the following command:
For vRealize Operations 7.x: service apache2 restart
For vRealize Operations 8.x: service httpd restart
For vRealize Operations 8.x: service httpd restart
- Repeat steps 1-5 on all nodes in the vRealize Operations cluster.
Feedback
Yes
No
Powered by
