Renew Controller Certificate
Article ID: 334986
Updated On:
Products
VMware vSphere Kubernetes Service
VMware Avi Load Balancer
Issue/Introduction
This knowledge base article outlines the process for rotating the NSX Advanced Load Balancer (AVI) certificate and updating it on the VMware supervisor. Restarting the AKO pod ensures it picks up the new certificate to communicate with AVI. Expired certificates can lead to critical issues, including:
- Renew NSX Advanced Load Balancer (AVI) Certificate for vSphere Supervisor
- "could not find Tanzu Kubernetes cluster apiserver" and "Login failed: bad request" errors were seen when attempting to log in to new Tanzu Kubernetes clusters.
- "tls: failed to verify certificate: x509: certificate has expired or is not yet valid" errors were observed in the AKO pod logs on the supervisor.
Environment
22.1.7
Cause
Certificates expired
Resolution
Create a new controller certificate
- Log in to AVI UI
- Go to templates > security > TLS certificate
- Create a new certificate (controller certificate)
- Then copy the certificate
- Log in to vSphere UI
- Cluster> configure > supervisor cluster > loadbalancer> edit certificate
Assign this new controller certificate to the AVI controller itself
- Log in to AVI UI
- Go to Administration > Settings > Access settings
- Edit with the pencil, and change the SSL/TLS certificate
Validate
- SSH to the supervisor cluster and check the ako pod:
kubectl get pods -A | grep -i ako - Restart this ako pod, then confirm it's running.
kubectl delete pod vmware-system-ako-ako-controller-manager-#### -n vmware-system-ako
Additional Information
Feedback
Yes
No
Powered by
