Embedded vRO Integration is broken after replacing certificate.
search cancel

Embedded vRO Integration is broken after replacing certificate.

book

Article ID: 380251

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

  • Embedded VRO integration is not in healthy state after VRA certificate replacement

910001: Can not connect to Automation Orchestrator Server. org.springframework.web.reactive.function.client.WebClientRequestException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Environment

  • VMware Aria Automation 8.x
    VMware Aria Automation Orchestrator 8.x

Cause

  • When the Orchestrator certificate is replaced, trust is broken between Aria Automation and Aria Automation Orchestrator.

Resolution

  • To workaround this issue you need to update the Integration endpoint data using API
  • Steps for Aria Automation without multi tenancy:
    1. Obtain a Bearer token following the article Generate Access_Token/Bearer_Token in VRA 8.x for API Authentication

      You will use this as <Token> value in the below steps. 

    2. Get the certificate of the VCO endpoint

      openssl s_client -connect <VRA_FQDN>:443 2> /dev/null | openssl x509 | awk 'NF {sub(//, "");  printf "%s\\n",$0;}'

    3. Get the info and ID of the all Integrations:

      curl -k "https://<VRA_FQDN>/iaas/api/integrations/?apiVersion=2021-07-15" -H "Authorization: Bearer <Token>" | jq -r '.content[] | .id + "," + .name'

      Example: results:
      <Integration-ID>,embedded-ABX-onprem
      <Integration-ID>,raas
      <Integration-ID>,gss support
      <Integration-ID>,embedded-VRO
      Note: The <Integration-ID> can be retrieved from Orchestrator UI as seen below



    4. Get the info VRO Integration details:

      curl -k "https://<VRA_FQDN>/iaas/api/integrations/<Integration ID captured in step-3>?apiVersion=2021-07-15" -H "Authorization: Bearer <Token>" | jq .

    5. Patch the integration using API:

      curl -v -k -X PATCH "https://<VRA_FQDN>/iaas/api/integrations/<Integration ID captured in step-3>?apiVersion=2021-07-15"  -H "Accept: application/json" -H 'Content-Type: application/json' -H "Authorization: Bearer <Token>" --data-raw  '{"integrationProperties": {"certificate":"Certificate content captured in step 2"}}'

      Body with just certificate:

      {
         "integrationProperties": {
            "certificate": "Certificate content captured in step 2"
            }
       }

    6. When you apply certificate, you can check the Integration properties.

    7. After cert is applied, data collection is fine, but you still see error: "910000: Error : Can not connect to the Automation Orchestrator Server...".

                   To fix this error you must patch vCO Integration and correct, or zero out the properties that having invalid state like:

                    set nothing for "vroUnresponsiveReason":"" or set  "vro-responsive": "true"

 

             8. Patch the integration using API:

         curl -v -k -X PATCH "https://<VRA_FQDN>/iaas/api/integrations/<Integration ID captured in step-3>?apiVersion=2021-07-15"  -H "Accept: application/json" -H 'Content-Type: application/json' -H                   "Authorization: Bearer <Token>" --data-raw  '{"customProperties": {"vroUnresponsiveReason":""}}'

                 Body with just vroUnresponsiveReason:

                 {
                  "customProperties": {
                   "vroUnresponsiveReason":""}
                   }

              9. If update integration fails due to properties to be read-only , please open the case with support team and ask to help.

Powered by Wolken Software