Attempting to rotate vRA certificates through SDDC Manager fails on Certificate Generation.
Article ID: 324059
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
Symptoms:
- In /var/log/vmware/vcf/operationsmanager/operationsmanager.log, similar entries are seen:
2019-10-05T02:43:38.724+0000 ERROR [19bb6115af364ce9,9b71] [c.v.v.c.ca.plugin.OpenSslCaService,om-exec-17] Generate signed certificate command execution failed
2019-10-05T02:43:38.724+0000 ERROR [19bb6115af364ce9,9b71] [c.v.v.c.s.o.i.CertificateOperationOrchestratorImpl,om-exec-17] Generate certificate failed for: vracafe1.rainpole.local
com.vmware.vcf.certmgmt.common.exception.CertificateManagementException: Generate signed certificate command execution failed
at com.vmware.vcf.certmgmt.ca.plugin.OpenSslCaService.generateSignedCertificate(OpenSslCaService.java:209)
at com.vmware.vcf.certmgmt.ca.plugin.OpenSslCaService.getCaChain(OpenSslCaService.java:152)
at com.vmware.vcf.certmgmt.ca.plugin.OpenSslCaPlugin.getCertificateChain(OpenSslCaPlugin.java:40)
2019-10-05T02:43:38.724+0000 ERROR [19bb6115af364ce9,9b71] [c.v.v.c.s.o.i.CertificateOperationOrchestratorImpl,om-exec-17] Generate certificate failed for: vracafe1.rainpole.local
com.vmware.vcf.certmgmt.common.exception.CertificateManagementException: Generate signed certificate command execution failed
at com.vmware.vcf.certmgmt.ca.plugin.OpenSslCaService.generateSignedCertificate(OpenSslCaService.java:209)
at com.vmware.vcf.certmgmt.ca.plugin.OpenSslCaService.getCaChain(OpenSslCaService.java:152)
at com.vmware.vcf.certmgmt.ca.plugin.OpenSslCaPlugin.getCertificateChain(OpenSslCaPlugin.java:40)
Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware Cloud Foundation 3.8.x
Cause
When converting from CSR to Pem encoding, if the generated CSR has the character length in multiples of 64 an extra newline is being appended before the footer tag resulting in badly formatted Pem encoding.
Resolution
This is a known issue and will be fixed in a future release.
Workaround:
To workaround this issue, please use the steps below:
Workaround:
To workaround this issue, please use the steps below:
- Open a SSH sesson to the SDDC Manager VM and change to the root user:
su -
- Copy the CSR fle to /opt/vmware/vcf/operationsmanager/certificates/openssl-ca
cp /opt/vmware/vcf/operationsmanager/certificates/<DomainName>/<FQDN>/<FQDN>.csr /opt/vmware/vcf/operationsmanager/certificates/openssl-ca
- Change to mentioned directory:
cd /opt/vmware/vcf/operationsmanager/certificates/openssl-ca
- Execute the command below:
openssl ca -batch -config openssl.conf -out <FQDN>.crt -extensions v3_ext -infiles <FQDN>.csr
- Navigate back to the SDDC Manager UI and upload the newly generated CSR from the above command
Feedback
Yes
No
Powered by
