This issue is resolved in vRealize Automation 8.0.1.
Workaround:
To work around this issue, you can force install of the certificate with the following steps:
- Verify that your certificate covers the following criteria:
- Includes all of the appliances hostnames as subject alternative names (SANs)
- Includes the load-balancer fully qualified domain name (FQDN) as a subject alternative name (SAN)
- Doesn't include any wildcard (*) addresses
- Compose a PEM file (Private Key and Entire Trust Chain) which should include the following in the same order:
- The RSA encrypted private key
- The Primary certificate in Base 64 format
- All of the Intermediate certificates in Base 64 format
- The Root CA certificate in Base 64 format
Example:
-----BEGIN RSA PRIVATE KEY-----
(Private Key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root CA certificate)
-----END CERTIFICATE-----
- SSH to one of the appliances and run the following command:
- # vracli certificate ingress --validate stdin --parse
- Paste the entire PEM which we composed in step 2 and press CTRL+D.
- This should result in the error below:
- Certificate with sha256 sum: SHA256_THUMBPRINT have errors in section 'v3_extensions'["Unable to parse certificate's ['v3_extensions']['critical'] section. ", "Unable to parse certificate's ['v3_extensions']['critical'] section. "]
- You can ignore errors related to v3_extensions - critical section, however if you receive different verification errors please do not proceed further and go back to step 1 and 2 to verify your PEM.
- Run command the following command in order to force the certificate installation:
- # vracli certificate ingress --set stdin --force
- Paste the PEM, same as step 2, and press CTRL+D
- Apply the PEM on all appliances by running the following command:
- Wait until re-deployment is completed. Once ready you should see a message similar to the one below:
- Prelude has been deployed successfully
- Verify the certificate has been changed successfully by navigating to the vRealize Automation portal
You can proceed with replacing the VMware Identity Manager certificate from vRealize Suite Lifecycle Manager