Embedded vRO Integration is broken after replacing certificate.
search cancel

Embedded vRO Integration is broken after replacing certificate.

book

Article ID: 380251

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Embedded VRO integration is not in healthy state after VRA certificate replacement

910001: Can not connect to Automation Orchestrator Server. org.springframework.web.reactive.function.client.WebClientRequestException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Environment

VMware Aria Automation 8.x
VMware vRealize Automation 8.x

Cause

Trust is broken between Aria Automation and vRealize Orchestrator when the Orchestrator certificate is replaced.

Resolution

To workaround this issue you need to update the Integration endpoint data using API

Steps for Aria Automation without multi tenancy:

  1. Obtain a Bearer token following the article Generate Access_Token/Bearer_Token in VRA 8.x for API Authentication
    You will use this as <Token> value in the below steps. 

  2. Get the certificate of VCO endpoint
    openssl s_client -connect <VRA_FQDN>:443 2> /dev/null | openssl x509 | awk 'NF {sub(//, "");  printf "%s\\n",$0;}'

  3. Get the info and ID of the all Integrations
    curl -k "https://<VRA_FQDN>/iaas/api/integrations/?apiVersion=2021-07-15" -H "Authorization: Bearer <Token>" | jq -r '.content[] | .id + "," + .name'

    Example: results:
    <Integration-ID>,embedded-ABX-onprem
    <Integration-ID>,raas
    <Integration-ID>,gss support
    <Integration-ID>,embedded-VRO
    Note: The <Integration-ID> can be retrieved from Orchestrator UI as seen below


  4. Get the info VRO endpoint details:
    curl -k "https://<VRA_FQDN>/iaas/api/integrations/<Integration ID captured in step-3>?apiVersion=2021-07-15" -H "Authorization: Bearer <Token>" | jq .

  5. Patch the endpoint using API
    curl -v -k -X PATCH "https://<VRA_FQDN>/iaas/api/integrations/<Integration ID captured in step-3>?apiVersion=2021-07-15"  -H "Accept: application/json" -H 'Content-Type: application/json' -H "Authorization: Bearer <Token>" --data-raw  '{"certificateInfo": {"certificate":"Certificate content captured in step 2"}}'

    Body with just certificate:
    {
       "certificateInfo": {
          "certificate": "Certificate content captured in step 2"
          }
     }

  6. When you apply certificate you validate check the Integration properties 

  7. After cert is applied, data collection is fine but you still see error: "910000: Error : Can not connect to the Automation Orchestrator Server...". To fix this error you must patch vCO Integration "vroUnresponsiveReason" property.

  8. Patch the endpoint using API
    curl -v -k -X PATCH "https://<VRA_FQDN>/iaas/api/integrations/<Integration ID captured in step-3>?apiVersion=2021-07-15"  -H "Accept: application/json" -H 'Content-Type: application/json' -H "Authorization: Bearer <Token>" --data-raw  '{"customProperties": {"vroUnresponsiveReason":"}}'

    Body with just certificate:
     {
         "customProperties": {
         "vroUnresponsiveReason":""}
     }
Powered by Wolken Software