Symptoms:

• Existing vSphere cloud accounts using self-signed certificates that have been deleted and later recreated.
• Cloud accounts that use self signed certificates in a multi-tenant environment will experience same errors and require re-validation of the cloud account.
• An error is displayed in the UI when it tries to load the Configuration for the account looking for available Data Centers and also displayed in the cloud account UI when updating the cloud account status.
• Data collection for Image enumeration button is disabled.
• vSphere deployments and vSphere day-2 operations may be impacted without the acceptance/validation of the certificate by the user. Deployments may fail finding no computes available to provision to.
• IaaS API for vSphere cloud accounts using self-signed certificate may show an error during cloud account creation, the following APIs may be impacted:
  • • iaas/api/cloud-accounts
    • iaas/api/cloud-accounts-vsphere

The error displayed in the UI for the vSphere cloud account will look like this:

Endpoint validation failed during health check: FAILED with Revalidate the certificate associated with the endpoint: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

Impact:

• Provisioning and day-2 operations on the cloud account will not work.
• Remote Console (VMRC) will also display missing certificate , and is one of the day-2 operations.
• One or more of the errors described in the issue/symptoms will be seen for the cloud account. Enumeration, Image Enumeration, Provisioning and Day-2 operations will be impacted.

VMware Aria Automation 8.17

VMware Aria Automation 8.18

An acceptance of the self-signed certificate is required if the cloud vSphere account is using a self-signed certificate. An extra acceptance of certificate is required for cloud accounts showing the symptoms above

Re-enter the credentials for the vCenter cloud account and if a popup shows up asking to accept the self-signed certificate, accept it and save the cloud account.

For IaaS API using vSphere accounts with self-signed certificate the certificate thumbprint will need to be provided as part of the IaaS API call.

Workaround:

If re-validating the cloud account does not fix the issue, a system property CERTIFICATE_EXTRA_VALIDATION_FOR_VSPHERE_CLOUD_ACCOUNT can be set to disable the extra validation of the cloud account using a self-signed certificate.

This is done by by modifying the deployment of provisioning-service with the command:

kubectl edit deployment provisioning-service-app -n prelude

When editing the deployment file, BE VERY CAREFUL WITH SPACES. DO NOT USE TABS. It MUST be aligned with other options
After that add the -DCERTIFICATE_EXTRA_VALIDATION_FOR_VSPHERE_CLOUD_ACCOUNT=false like below

• name: JAVA_OPTS
  value: |-
  -Dphoton-model.image.enumeration.azure.filter=CoreOS:CoreOS:Stable:;Canonical:UbuntuServer:16.04-LTS:;Canonical:0001-com-ubuntu-server-jammy:22_04-lts:
  -Dhttps.proxyHost=$(JAVA_PROXY_HOST)
  -Dhttp.proxyHost=$(JAVA_PROXY_HOST)
  -Dhttps.proxyPort=$(JAVA_PROXY_PORT)
  -Dhttp.proxyPort=$(JAVA_PROXY_PORT)
  -Dhttp.nonProxyHosts=$(JAVA_PROXY_NON_PROXY)
  -DCERTIFICATE_EXTRA_VALIDATION_FOR_VSPHERE_CLOUD_ACCOUNT=false

After modifying the config file, save the change by pressing ":wq". To exit without saving, use ":q!" K8s will redeploy the pod with new settings enabled
The following command can be used to monitor provisioning-service-app pods when the pods are restarted

kubectl -n prelude get pods

The Day-2 operation for "Virtual Machine Remote Console" may not work properly and errors may be seen

Apply the above resolution steps and verify the symptoms for re-validation of the cloud account with self-signed certificate

The additional certificate validation would be disabled for multiple tenants using same vCenter