Deploying Aria Suite LCM from SDDC manager fails at 'Request and Configure VMware Aria Suite Lifecycle SSL Certificate'
search cancel

Deploying Aria Suite LCM from SDDC manager fails at 'Request and Configure VMware Aria Suite Lifecycle SSL Certificate'

book

Article ID: 377146

calendar_today

Updated On:

Products

VMware Aria Suite VMware Cloud Foundation 5.x VMware Cloud Foundation

Issue/Introduction

  • Deploying Aria Suite LCM from SDDC manager fails at 'Request and Configure VMware Aria Suite Lifecycle SSL Certificate' 
  • Error in SDDC Manager UI
    A problem has occurred on the server. Please retry or contact the service provider and provide the reference token
    
    Cause: 400 : "{"status":"","message":"Validations failed for certificate.","errorCode":"LCM_CERTIFICATE_API_ERROR0001","errorLabel":"Certificate request payload is invalid.","recommendations":[]
  • Error in SDDC Manager domainmanager.log (/var/log/vmware/vcf/domainmanager/domainmanager.log)
    yyyy-mm-ddThh:mm:ss DEBUG [vcf_dm,xxxxxxxxxxxxxxxxxxx,d5fc] [c.v.e.s.r.c.LoggingHttpRequestInterceptor,dm-exec-15]  Request URI: https://vcf-lab-m01-aria.example.com/lcm/locker/api/v2/certificates/import
    Request method: POST
    Request body: {"alias":"vcf-lab-m01-aria.example.com","certificateChain":"*****","privateKey":"*****"}
    Response code: 400 BAD_REQUEST
    Response headers: [Date:"Mon, 19 Aug 2024 08:31:35 GMT", Content-Type:"application/json;charset=UTF-8", Transfer-Encoding:"chunked", Connection:"keep-alive", Set-Cookie:"JSESSIONID=xxxxxxxxxxxxxxxxxxxA1B15; Path=/; HttpOnly; Secure; HttpOnly; SameSite=xx", X-Content-Type-Options:"nosniff", X-XSS-Protection:"1; mode=block", Cache-Control:"no-cache, no-store, max-age=0, must-revalidate", Pragma:"no-cache", Expires:"0", X-Frame-Options:"DENY", Content-Security-Policy:"script-src 'self'", Strict-Transport-Security:"max-age=31536000; includeSubDomains", Lcm-API-Version:"8.0"]
    Response body: {"status":"","message":"Validations failed for certificate.","errorCode":"*****","errorLabel":"Certificate request payload is invalid.","recommendations":[]}
    yyyy-mm-ddThh:mm:ss ERROR [vcf_dm,xxxxxxxxxxxxxxxxxxx,d5fc] [c.v.e.s.o.model.error.ErrorFactory,dm-exec-15]  [4UTQRS] VCF_ERROR_INTERNAL_SERVER_ERROR Invocation of prefix '' part of task GenerateVrslcmCertificate in plugin VrslcmPlugin failed with exception.
    com.vmware.evo.sddc.common.core.error.InternalServerErrorException: Invocation of prefix '' part of task GenerateVrslcmCertificate in plugin VrslcmPlugin failed with exception.
            
    		
    Caused by: org.springframework.web.client.HttpClientErrorException$BadRequest: 400 : "{"status":"","message":"Validations failed for certificate.","errorCode":"LCM_CERTIFICATE_API_ERROR0001","errorLabel":"Certificate request payload is invalid.","recommendations":[]}"
  • Error in vmware_vrlcm.log  
    yyyy-mm-ddThh:mm:ss ERROR vrlcm[1242] [http-nio-8080-exec-2] [c.v.v.l.l.c.CertificateStoreController]  -- Failed to import certificate.
    com.vmware.vrealize.lcm.common.exceptions.InvalidCertificateException: Validations failed for certificate.
            at com.vmware.vrealize.lcm.locker.service.pki.CertificateStoreService.validateAndWrite(CertificateStoreService.java:96) ~[vmlcm-locker-core-8.18.0-SNAPSHOT.jar!/:?]

Environment

VMware Cloud Foundation

Cause

  • Time skew between SDDC Manager and vRSLCM appliance
  • Since the certificate is created in real time the SDDC Manager and vRLSCM should be in the same time zone, if SDDC Manager is "ahead" of time, vRSLCM will reject the certificate as it won't be valid yet for the Aria appliance.

Resolution

  • Use the following command to verify the date and time on the vRSLCM appliance and SDDC Manager.
    date
  • If there is a discrepancy in the time, fix it by referring to the same NTP server.
  • Restart the deployment of the Aria Suite LCM via SDDC management and configure the same ntp servers on both appliances if the Aria deployment was rolled back and the vRSLCM appliance is no longer in existence.

 

Refer Update NTP Server Configuration document for NTP server configuration in a VCF Environment