When you want to establish secure connection to the endpoint or host which comes with unknown certificate chain, the LCM is unable to validate the chain.
2024-10-21T12:15:59.037Z ERROR vrlcm[1254] [http-nio-8080-exec-7] [c.v.v.l.l.s.LoadBalancerServiceImpl] -- Error occurred while trying to authenticate to the Avi Controller
org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
...
Caused by: java.security.cert.CertificateException: Unable to construct a valid chain
at org.bouncycastle.jsse.provider.ProvX509TrustManager.validateChain(ProvX509TrustManager.java:298) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkTrusted(ProvX509TrustManager.java:257) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
at org.bouncycastle.jsse.provider.ProvX509TrustManager.checkServerTrusted(ProvX509TrustManager.java:158) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
at org.bouncycastle.jsse.provider.ExportX509TrustManager_7.checkServerTrusted(ExportX509TrustManager_7.java:49) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
at org.apache.http.ssl.SSLContextBuilder$TrustManagerDelegate.checkServerTrusted(SSLContextBuilder.java:413) ~[aria-cloud-edition-common-library11-1.0.0-SNAPSHOT.jar!/:?]
at org.bouncycastle.jsse.provider.ImportX509TrustManager_5.checkServerTrusted(ImportX509TrustManager_5.java:68) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
at org.bouncycastle.jsse.provider.ProvSSLSocketWrap.checkServerTrusted(ProvSSLSocketWrap.java:126) ~[bctls-jdk15on-1.65.jar:1.65.00.0]
... 176 more
Caused by: java.security.cert.CertPathBuilderException: Unable to find certificate chain.
VMware Aria Suite Lifecycle 8.x
The certificate is marked as invalid as the Aria Suite Lifecycle does not have the all CA's in the certificate chain.
In case you cannot import the certificate to the LCM locker, due to not having the private key, you can add the certificate to the Aria Suite Lifecycle key tool using steps:
Prerequisites
Please take snapshot of Aria Suite Lifecycle appliance.
Procedure
1. SSH / PuTTy into one Aria Automation virtual appliance in the cluster
2 .Run the following command that will execute the script
bash -c "$(base64 -d <<< "IyEvYmluL2Jhc2gKY2xlYXIKZWNobyAtZW4gIlNjcmlwdCB0byBpbXBvcnQgdGhlIGNlcnRpZmljYXRlIHRvIHRoZSB2UkxDTSBrZXlzdG9yZVxuIgplY2hvICIiCnJlYWQgLXAgJ1Byb3ZpZGUgSVAgb3IgRlFETiBvZiBob3N0IGFuZCBwb3J0LCBsaWtlIHZjLnZjbG91ZC5sb2NhbCAnIGhvc3RuYW1lCmVjaG8gIiIKcmVhZCAtcCAnUHJvdmlkZSBwb3J0OiAnIHBvcnQKZWNobyAiIgpyZWFkIC1wICdQcm92aWRlIEFsaWFzIG5hbWUgeW91IHdhbnQgdXNlIGZvciB0aGlzIGNlcnRpZmljYXRlLCBsaWtlIGltcG9ydEE6ICcgYWxpYXMKZWNobyAiIgplY2hvIC1lbiAiLS0tLS0tIFlvdXIgaW5wdXRzIC0tLS0tLVxuIgplY2hvIC1lbiAiXG5ob3N0bmFtZTogJGhvc3RuYW1lIFxucG9ydDogJHBvcnQgXG5hbGlhczogJGFsaWFzIgoKCmVjaG8gLWVuICAiXG4tLS0tLS0gR2V0IGNlcnRpZmljYXRlIC0tLS0tLVxuIgplY2hvIHwgb3BlbnNzbCBzX2NsaWVudCAtY29ubmVjdCAkaG9zdG5hbWU6JHBvcnQgLXNob3djZXJ0cyA+ICAvdG1wL2NlcnRpZmljYXRlLmRlcgoKZWNobyAtZW4gICJcbi0tLS0tLSBJbmZvIGFib3V0IHRoZSBjZXJ0IC0tLS0tLVxuIgppbmZvPSQob3BlbnNzbCB4NTA5IC1pbiAvdG1wL2NlcnRpZmljYXRlLmRlciAtbm9vdXQgLXN1YmplY3QgLWlzc3VlciAtZGF0ZXMgLWZpbmdlcnByaW50KQoKZWNobyAtZW4gIiRpbmZvXG4iCmVjaG8gLWVuICItLS0tLSAtLS0tLSIKd2hpbGUgdHJ1ZTsgZG8gIGVjaG8gIiAiOwogICAgcmVhZCAtcCAiRG8geW91IHdhbnQgdG8gaW1wb3J0IGNlcnRmaWNhdGUsIHBsZWFzZSBzZWxlY3Q/ICh5L24pIiB5bgogICAgY2FzZSAkeW4gaW4KICAgICAgICBbWXldKiApIGJyZWFrOzsKICAgICAgICBbTm5dKiApIGV4aXQ7OwogICAgICAgICogKSBlY2hvICJQbGVhc2UgYW5zd2VyIHkgb3Igbi4iOzsKICAgIGVzYWMKZG9uZQoKZWNobyAtZW4gIi0tLS0tLSBJbXBvcnRpbmcgY2VydGlmaWNhdGUgLS0tLS0tXG4iCi91c3IvamF2YS9qcmUtdm13YXJlL2Jpbi9rZXl0b29sIC1pbXBvcnQgLXRydXN0Y2FjZXJ0cyAtYWxpYXMgJGFsaWFzIC1zdG9yZXBhc3MgY2hhbmdlaXQgLWNhY2VydHMgLWZpbGUgICAvdG1wL2NlcnRpZmljYXRlLmRlcgoKZWNobyAtZW4gIi0tLS0tLSBIZXJlIGlzIHRoZSBjZXJ0IHlvdSBhZGQgLS0tLS0tXG4iCi91c3IvamF2YS9qcmUtdm13YXJlL2Jpbi9rZXl0b29sIC1saXN0IC1zdG9yZXBhc3MgY2hhbmdlaXQgLWNhY2VydHMgLXYgLWFsaWFzICRhbGlhcwoKCmVjaG8gLWVuICIgLS0tLS0tIERvbmUgLi4uIC0tLS0tLSI=")"