Error: Failed/Unable to trust load balancer's certificate for VIDM
search cancel

Error: Failed/Unable to trust load balancer's certificate for VIDM

book

Article ID: 322710

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

  • VIDM cert shows up to date, however, when you try to re-trust the VIDM with load balance it fails with below error:
    Error Code: LCMVIDM71092
Failed to trust load balancer's certificate. Ensure load balancer has proper root certificate or provide the root certificate chain as retry param 'vidmLBRootCertificateChain' and try again.
Unable to fetch root/intermediate CA certificates from the certificate chain provided. Failed to trust vIDM load balancer certificate. Retry by providing the root or intermediate CA certificate chain
  • Inventory sync from vRLCM to vIDM fails with error LCMVIDM71077 after replacing certificates on vIDM node(s)
    Error Code LCMVIDM71077
Unable to trust load balancer's certificate. Refer to the log for additional details and retry. 
Error while getting login token from vIDM
  • VMware Aria Suite Lifecycle engine logs var/log/vrlcm/vmware_vrlcm.log have the following error:
    ####-##-## 19:03:08.778 ERROR [####-#-######-##] c.v.v.l.v.d.h.VidmInstallHelper -  -- Exception occured while trusting certificate
com.vmware.vrealize.lcm.common.exception.LcmException: Error while trusting LB's certificate on the host <VIDMNODEFQDN>, failed with message : {"message":"Error installing custom certificate, refer logs for more details.","code":2,"success":false,"results":null,"resultObj":null,"fieldMessages":null,"redirectUrl":null}
    at com.vmware.vrealize.lcm.vidm.driver.helpers.VidmInstallHelper.trustCertificate(VidmInstallHelper.java:867) [#####-##########-######-#.12.#-########.jar!/:?]
    at com.vmware.vrealize.lcm.vidm.driver.helpers.VidmInstallHelper.trustCertificate(VidmInstallHelper.java:824) [#####-##########-######-#.12.#-########.jar!/:?]
    at com.vmware.vrealize.lcm.vidm.core.task.VidmTrustLBCertificateTask.execute(VidmTrustLBCertificateTask.java:139) [#####-##########-####-#.12.#-########.jar!/:?]
    at com.vmware.vrealize.lcm.automata.core.TaskThread.run(TaskThread.java:63) [#####-#############-####-#.12.#-########.jar!/:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
    at java.lang.Thread.run(Unknown Source) [?:?]

Environment

VMware Identity Manager 3.3.x

Cause

This issue is likely caused by one of the following scenarios:

  • Network connectivity problems between the load balancer
  • The certificate’s Signature Algorithm is not set to SHA-256. Using RSASSA-PSS as the algorithm can lead to this issue
  • The CA certificate or vIDM server certificate is not properly configured on the load balancer
  • A known issue in version 3.3.7

Resolution

There are multiple plausible causes, please see possible resolutions below.

Connectivity issue:

  1. SSH to the VMware Aria Suite Lifecycle appliance (formerly known as vRealize Suite Lifecycle Manager)
  2. Validate you can ping the hostnames of the Load Balancers and vIDM nodes.
  3. If there is no connectivity, work with your Networking team to solve this issue.

Certificate Signature Algorithm

Create new certificates using SHA 256 as Signature Algorithm instead of rsassaPss.

Certificate missing in the load balancer.

vIDM cluster is SSL terminated, and you need to import the CA and vIDM server certificates in the load balancer.
 
In case of NSX-T Manager follow the steps below:
 
Add server and CA certificates to NSX-T
    1. Login to the NSX-T Manager
    2. Go to 'System > Certificates > Import', and import the vIDM Server certificate
    3. Repeat step 2 above for the root CA certificate
 
Apply the certificate(s) to the Virtual Server
    1. Go to 'Networking > Load Balancing > Virtual Servers'
    2. Select the vertical ellipsis (⋮) for the virtual server used for vIDM, and select Edit
    3. Click on 'Configure' in the 'SSL Configuration' field
    4. Select 'Client SSL' tab, and update the certificate in the field 'Default Certificate'  
    5. Expand 'Advanced Properties', in the 'Trusted CA Certificates' field add the CA (root) certificate 
    6. Select 'Server SSL' tab and replace the certificate in the 'Default Certificate' field 
    7. Expand 'Advanced Properties', in the 'Trusted CA Certificates' field add the CA (root) certificate
    8. 'Save' the SSL configuration
 
Apply the certificate to the active monitor for the server pool
    1. Go to 'Networking > Load Balancing > Server Pools' 
    2. Select the desired server pool, then click on the hyperlink after 'Active Monitor'
    3. Select the vertical ellipsis (⋮), and select 'Edit', then go to 'SSL Configuration' and click 'Configure'
    4. Update the certificate in the 'Client Certificate' field with the new certificate
    5. Expand 'Advanced Properties', in the 'Trusted CA Certificates' field add the CA (root) certificate
    6. 'Save' the SSL configuration
 
Note: If you are not replacing the CA certificate you can leave the Trusted Root CA Certificate configuration with the default setting. 

vIDM 3.3.7 known issue.

VMware is aware of a known issue in versions 3.3.7. Please see the Workaround section for additional information.

 

Workaround for versions 3.3.7

Prerequisites

  • You have snapshots of all the nodes in the cluster.
  • You have access to root username and password.

Procedure

    1. SSH to each node in the cluster as root user.
    2. Run the following command on each node: 
      chmod 660 /opt/vmware/horizon/workspace/webapps/ROOT/lb_rootca.pem
    3. Login to VMware Aria Suite Lifecycle and trigger an inventory sync: Lifecycle Operations > Environments > globalenvironment > Trigger Inventory sync
    4. Once the inventory sync is completed, request to re-trust the load balancer.
Powered by Wolken Software