Unavailable for Deployment or Failed to validate
when attempting to update the Cloud Account.Cannot find available cloud zones in the current project. Maybe there is no connectivity to the endpoint(s)
when trying to provision.ERROR provisioning [host='provisioning-service-xxx' thread='xxx' user='xxx' org='xxx' trace='xxx' parent='xxx' span=xxx'] c.v.p.c.m.a.v.VSphereEndpointAdapterService.lambda$validate$8:280 - handleCertificate serviceErrorResponse: {"message":"Error storing certificate. Retry validation","statusCode":400,"errorCode":0,"serverErrorId":"xxx","documentKind":"com:vmware:xenon:common:ServiceErrorResponse"} for host: xxx
When a vSphere certificate is changed, the Aria Automation user revalidates the Cloud account and accepts the new certificate but closes the Cloud account without saving. The certificate is then accepted in the trust store but not saved to the endpoint.
This issue is resolved in the future release of VMware Cloud Foundation 9.0.
net.broadcom.vra.update.ca.certificate
openssl s_client -connect ID1:443 2> /dev/null | openssl x509 | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}'
Note: Replace ID1 with the vCenter FQDN.
Note: This exact output will be used later.
PATCH ID3/iaas/api/cloud-accounts/ID2?apiVersion=2021-07-15
{
"privateKeyId": "ID4",
"privateKey": "ID5",
"certificateInfo": {
"certificate": "ID6"
}
}
Note: Please replace the IDx values considering:
Replace ID2: with the cloud account id obtained in step 1 of the prerequisites.
Replace ID3: with the Aria Automation FQDN.
Replace ID4: with the username obtained in step 1 of the prerequisites.
Replace ID5: with the password of the vCenter service account or username (ID4)
Replace ID6: with the output of the command run in step 3 of the prerequisites.
Replace ID7: with the bearer token obtained in step 4 of the prerequisites under the authorization tab.
{
"privateKeyId": "ID4",
"dcid": "CloudProxyID",
"privateKey": "ID5",
"certificateInfo": {
"certificate": "ID6"
}
}
curl -k --location --request PATCH 'https://ID3/iaas/api/cloud-accounts/ID2?apiVersion=2021-07-15' \
--header 'Authorization: Bearer ID7' \
--header 'Content-Type: application/json' \
--data-raw '{
"privateKeyId": "ID4",
"privateKey": "ID5",
"certificateInfo": {
"certificate": "ID6"
}
}'
Note: Please replace the IDx values considering:
Replace ID2: with the cloud account id obtained in step 1 of the prerequisites.
Replace ID3: with the Aria Automation FQDN.
Replace ID4: with the username obtained in step 1 of the prerequisites.
Replace ID5: with the password of the vCenter service account or username (ID4). (Note: If using characters like quotes be sure to escape them in the curl command)
Replace ID6: with the output of the command run in step 3 of the prerequisites.
Replace ID7: with the bearer token obtained in step 4 of the prerequisites.
GET root-url/provisioning/uerp/provisioning/mgmt/endpoints?expand
Note: Use a valid bearer token for authorization
Find the relevant VCF endpoint and look for customProperties. Copy the relevant nsx and "vsphere" property starting with "resources/endpoints/...". Use these to make the following GET calls to check those cloud accounts in Step 2.
GET root-url/provisioning/uerp/resources/endpoints/xxx}
If the certificate doesn't match the valid certificate for that endpoint (you would have got that from running the command : openssl s_client -connect ID1:443 2> /dev/null | openssl x509 | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' earlier), we will need to patch this cloud account.
PATCH root-url/provisioning/uerp/resources/endpoints/xxx}
{
"endpointProperties": {
"certificate": "updated-endpoint-certpem"
},
"customProperties": {
"certificate": "updated-endpoint-certpem"
}
}
Note: It is recommended to use Postman for ease of use, but the equivalent cURL commands are noted below.
GET curl --location -g --request GET 'https://ID3/provisioning/uerp/provisioning/mgmt/endpoints?expand' \
--header 'Authorization: Bearer bearer token'
curl --location -g --request PATCH 'https://ID3/provisioning/uerp/document-self-link' --header 'Authorization: Bearer {bearer token}' --header 'Content-Type: application/json' --data-raw '{ "endpointProperties": { "certificate": "updated-endpoint-certpem" }, "customProperties": { "certificate": "updated-endpoint-certpem" }}'
Note: Replace the newline characters in the certpem with /n - the certpem should be entirely on one line.
Note: so basically we need to patch "NSX", "vSphere" and "VCF" endpoints if its a VCF enabled Aria Automation Instance.
Note: Please Check "Additional Information" Section
Important note 1:
If you encounter an issue after running above steps
"message": "Failed to execute handlePatchAsync", "statusCode": 400,
Check the format of (ID4: with the username obtained in step 1 of the prerequisites) and match format UPN Domain@username.
Important note 2:
Situation:
In case Cloud account still do not get updated with latest certificate although API call succeeds with 202 status code and "INPROGRESS".
Please try to make use of cloud-account-vsphere API along with the body as mentioned below:
/iaas/api/cloud-accounts-vsphere/
{
"hostName": "vCenterFQDN",
"certificateInfo": {
"certificate": " -----BEGIN CERTIFICATE-----\nMIIEeDCCxxxxxxxxxxxxxxxxxxxxxxxxxxAMIGkMRYwFAYD\nVQQDDA1xNHVzc3RzeXUwNTIwMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMG\nCgmSJomT8WjQhsY\n0IvKGAGvZANwwMpVYyfEP/r5ugHE5XGzqnHtshP6cGO7Td9SHJpwzMezj8M=\n-----END CERTIFICATE-----\n "
},
"password":"password",
"username":”username@domain”
}