Re enable of the wcp cluster is failing to complete spherelet are configuring endlessly and no availability zones error in CLBO pods
Article ID: 380240
Updated On:
Products
Issue/Introduction
After deleting a TKG cluster, creating a new one is stuck at enabling cluster.
Looking into AKO logs, you can see something similar to this:
####-##-##T##:##:##.##### stderr F E0816 ##:##:##.#########-##-##T##:##:##.##### stderr F E0816 ##:##:##.#########-##-##T##:##:##.##### stderr F E0816 ##:##:##.#####<IP-ADDRESS>/login": x509: cannot validate certificate for <IP-ADDRESS> because it doesn't contain any IP SANs####-##-##T##:##:##.##### stderr F E0816 ##:##:##.#####<IP-ADDRESS>/login": x509: cannot validate certificate for <IP-ADDRESS> because it doesn't contain any IP SANs####-##-##T##:##:##.##### stdout F ####-##-##T##:##:##.##### ^[[31mERROR^[[0m ingestion/vcf_k8s_controller.go:381 Failed to connect to AVI controller using secret provided by NCP, the secret would be deleted, err: Rest request error, returning to caller: Post "https://<IP-ADDRESS><IP-ADDRESS>
Cause
NSX ALB certificate is not correctly formed.
In the certificate provided by user environment is:
X509v3 Subject Alternative Name:
DNS:nsxlb.<FQDN>, DNS:<IP-ADDRESS>
And it should be something like:
X509v3 Subject Alternative Name:
DNS:nsxlb.<FQDN>, IP.1:<IP-ADDRESS>
Resolution
Recreate the Certificate on the NSX part making sure that contains IP SANs are well indicated:
X509v3 Subject Alternative Name:
DNS:nsxlb.<FQDN>, IP.1:<IP-ADDRESS>
Once cert is created, remove and re-add avi-onboarding via nsx-api.
Then, reinstall supervisor cluster.
Feedback
