Supervisor Upgrade Stuck or Fails due to missing authorityKeyIdentifier
search cancel

Supervisor Upgrade Stuck or Fails due to missing authorityKeyIdentifier

book

Article ID: 379207

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service VMware vCenter Server 8.0

Issue/Introduction

After upgrading the vCenter Server Appliance to version 8.0 Update 3, updating a Supervisor Cluster in a vSphere with Tanzu environment may encounter issues if the cluster was initially deployed on Supervisor Kubernetes version 1.19 and later upgraded to Supervisor releases supported in vCenter 8.0 Update 3 (Supervisor Kubernetes versions 1.29, 1.28, and 1.27) 

- The first Supervisor Control Plane VM deployed does not have a second network interface
- The following errors and alerts are seen in the Workload Management menu, 

  • Workload management → Supervisor → Config Status

Configured ControlPlane VMs
Configruation error (since MM/DD/YYY, HH:MM:SS PM)
Configure operation for the master node VM with vm-##### failed

Configured Supervisor Control Plane VM as Kubernetes Control Plane Node
Configuration error (sinc MM/DD/YYYY HH:MM:SS PM)
System error occurred on Master node with identifier ########################. Details: Base configuration of node ######################## failed as a Kubernetes node. See /var/log/vmware-imc/configure-wcp.stderr on control plane node ######################## for more information.  

- The following errors are seen in the newly deployed Supervisor Control Plane VM : 

  • /var/log/vmware-imc/configure-wcp.stderr

YYYY-MM-DD error unmarsharling configuration schema.GroupVersionKind(Group:"kubeproxy.config.k8s.io", Version:"v1alpha1", Kind: "KubeProxy", "udpIdleTimeout") to download the KubeletConfiguration from ConfigMap "kubelet-config" unmarsharling configuration schema.GroupVersionKind(Group:"kubelet.config.k8s.io", Version:"v1beta1", Kind: "KubeletConfig") metadata looking for default routes with IPv4 addresses

Error adding certificate extensions from config section server_cert_ext
############0000:error:########:X509 V3 routines:v2i_AUTHORITY_KEYID:unable to get issuer keyid:crypto/x509/v3_akid.c:177:
############0000:error:########:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=server_cert_ext, name=authorityKeyIdentifier, value=keyid

Environment

vCenter server 8.0 Update 3

vSphere with Tanzu

Cause

The Supervisor Control Plane VM's OpenSSL configuration found at /etc/vmware/wcp/openssl.conf is missing the issuer value for the authorityKeyIdentifier

Resolution

This issue is resolved in vCenter Server version 8.0 Update 3e and later. Since the fix cannot be retroactively applied if the upgrade has already started, a workaround is necessary. For assistance, please contact VMware by Broadcom Technical Support and reference this KB article

Powered by Wolken Software