Expired SAML Certificate Email Alerts are received
search cancel

Expired SAML Certificate Email Alerts are received

book

Article ID: 376068

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • Expired certificate email alerts are received by Cloud Director tenant users.
  • When removing an un-assigned SAML certificate, you receive the error:

The VMware Cloud Director entity com.vmware.vcloud.entity.org:<ORG_ID> does not exist.

  • You observed a message similar to the following stating:

    "Your certificate library item SAML Encryption-2023-06-27-14-54-24 (id: xxxx.xxxx.xxxxx.xxx, description: SAML encryption certificate and key) expired X day(s) ago".

Environment

VMware Cloud Director 10.6.x

Cause

In Cloud Director 10.6, users will receive an email if there is an expired SAML SSL certificate stored in the Administration > Certificate Management > Certificate Library for the Tenant.

When Cloud Director generates a new SAML certificate it does not remove the old pair, which may also cause issues at the Provider level should the associated Organization/Tenant be removed.

Resolution

To resolve this issue:

  1. In the Provider UI select the Organization which has the expired SAML certificate and click the link to open the tenant UI.
  2. In the Tenant UI for the Organization, navigate to the 'Administration -> Certificates Library'.
  3. From the Certificate Library locate the expired Certificate (it should have a value of '0' for Consumers) and remove it.

The ID value from the email relates to the certificate ID within the certificate library. To identify the name of the tenant associated to that ID you can query the certificateLibraryItem consumers API like this example:

GET /cloudapi/1.0.0/ssl/certificateLibrary/urn:vcloud:certificateLibraryItem:<id_value_from_email>/consumers

Note: If Consumers shows a value of '1' for the expired certificate, you should renew the certificate firstly.  Use the Cloud Director API POST /admin/org/{id}/settings/federation/action/regenerateFederationCertificate to regenerate a federation certificate for the Tenant. Details of this API method are available in the VMware Cloud Director API documentation.

 

Note: To reduce the frequency for reminder emails, you can use the Cell-Management-Tool manage-config option to set the value:

  • Name: notifyExpiringCertificateLibraryEntriesJob.repeat.interval.days
  • Value: <Number of days between reminder email>
  • Default Value: 1

 

There are some instances where depending on email settings, a System Admin may receive an email for a Tenant's expired Certificates, as of 10.6 GA, the Tenant Reference is not in the email making it impossible to scale the above.

  1. Access the Cloud Director database.

db

  1. Identify the Organizations where invalid SAML Certs exist:

select name,display_name from organization where org_id in (select org_id from certificate_library_item where alias like '%SAML%' and id not in (select cert_library_item_id from certificate_library_item_consumer));

Those certificates can then be cleared via the UI.

Additional Information

If you encounter issues removing the Certificate via the UI, contact technical support and note this Knowledge Article ID (376536) in the problem description. For more information, see How to Submit a Support Request

In instances where you have removed the certificate from the UI but you still receive emails, see Email notification for not existing expired certificates in certificate library

Powered by Wolken Software