Manual method to replace the self-signed vip.crt certificate in vSphere with Tanzu
search cancel

Manual method to replace the self-signed vip.crt certificate in vSphere with Tanzu

book

Article ID: 370691

calendar_today

Updated On:

Products

VMware vSphere with Tanzu vSphere with Tanzu

Issue/Introduction

The /etc/vmware/wcp/tls/vip.crt certificate marked as expired and not able to connect securely to the Supervisor Cluster API Endpoint. 

In the vSphere Client, under Workload Management > Supervisor > "Supervisor Name" > Configure > Certificates you see that the Workload Platform Management certificate has expired:

Cause

The self-signed certificate located at /etc/vmware/wcp/tls/vip.crt has expired and the auto-rotation process has not been initiated.

This TLS certificate is served by the nginx proxy and runs in front of each CP VM on the workload network. It has a 1-year lifetime. Ideally, the vip.crt self-signed certificate will automatically rotate when wcpsvc detects it to be more than 50% of its lifetime (i.e., 6 months).

Resolution

1.  Validate vip.crt from the Supervisor node Control plane VM 

    • Check if the TLS endpoint certificate validity

# find / -type f \( -name "*.cert" -o -name "*.crt" \) -print 2>/dev/null | egrep -v 'ca.crt$|ca-bundle.crt$|kubelet\/pods|var\/lib\/containerd|run\/containerd' | xargs -L 1 -t -i bash -c 'openssl x509 -noout -text -in {}|grep After'

bash -c openssl x509 -noout -text -in /etc/vmware/wcp/tls/vip.crt|grep After
Not After : Dec 13 03:59:22 2xxx GMT

    • Check if certificates are self-signed or custom certificates. Below is an example of a self-signed certificate

# openssl x509 -in /etc/vmware/wcp/tls/vip.crt -text | grep CN

Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=vcxxxx.corp.example.org, OU=VMware Engineering
Subject: OU=vcxxxx.corp.example.org, CN=kube-apiserver-domain-c7

2. Generate a new vip.crt from vCenter Server

    • In the vSphere Client, navigate to the Supervisor Cluster, and In the Workload platform MTG pane, select Actions > Generate CSR.
    • Once the CSR is generated, click Copy.
    • SSH to the vCenter server and create a new file 'cert.csr' and copy the CSR content from GUI

# vi cert.csr

    • Generate a new cert using the below command.

# /usr/lib/vmware-vmca/bin/certool --gencertfromcsr --csrfile cert.csr --cert vip-renew.crt

3. Replace VIP certificate from vCenter Server GUI

    • copy the generated VIP certifciate

# cat vip-renew.crt

    • Go back to vCenter ServerGUI, Navigate to the the Workload platform MTG pane, select Actions > Replace Certificate.
    • Upload the newly generated certificate file and click Replace Certificate to replace the certificate.

Additional Information

If vip.crt using the custom signed certificate, The Certificate needs to be signed by CA to renew following below document

Replace the VIP Certificate to Securely Connect to the Supervisor API Endpoint

Powered by Wolken Software