Replacement of Microsoft CA signed certificate in Aria Automation or Aria Orchestrator fails during validation phase.
search cancel

Replacement of Microsoft CA signed certificate in Aria Automation or Aria Orchestrator fails during validation phase.

book

Article ID: 385447

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Certificate replacement/validation operations in Aria Automation and Aria Orchestrator version 8.16.1 and above fail.
When trying to set or validate a Microsoft CA signed certificate that contains the MSCertificateTemplate v3 extension manually or through vRLCM, the following error is observed in the vRLCM logs:

ValueError: error parsing asn1 value: ParseError
{ kind: InvalidValue, location: ["MSCertificateTemplate::template_id"] }

Environment

Aria Automation 8.16.1 and later

Cause

The internal OS upgrade from PhotonOS 3 to PhotonOS 4 in Aria Automation 8.16.1 brings the latest version of Python's cryptography library.
In this version the MSCertificateTemplate object is introduced. In certain cases with specific certificate MSCertificateTemplate extension formatting,
the cryptography library is unable to parse the chain and throws the parsing error cited in the symptoms sections of this KB.
As a result, the vracli certificate --set, --validate and --parse commands fail and throw the exception.

Resolution

A fix will be provided for Aria Automation 8.18.1 in the form of a patch release.

 

Workaround:

The following steps should be executed:

**NOTE**  The below command needs to be applied as is.  It is a hash of the script that needs to be run, and is not the certificate

  1. Take simultaneous VM snapshot (without memory, with quiesced option selected) of all 3 VAs. It can be taken from vRSLCM or manually from vCenter.
  2. Execute the following command on only one of the nodes in order to apply and persist the patch : 
    vracli cluster exec -- bash -c 'base64 -d <<< "IyEvYmluL2Jhc2gKCmxvZ0Rpcj0iL3Zhci9sb2cvdm13YXJlL3ByZWx1ZGUiCnRpbWVzdGFtcD0kKGRhdGUgJyslWS0lbS0lZC0lSC0lTS0lUycpCnByPSJWQ0ZDT04tNjkwNyIKQkFDS1VQX0RJUj0iL2RhdGEvcGF0Y2gtYmFja3VwLyRwci0kdGltZXN0YW1wIgoKbWtkaXIgLXAgIiRsb2dEaXIiCmV4ZWMgMj4gPih0ZWUgLWEgIiRsb2dEaXIvcGF0Y2gtJHByLSR0aW1lc3RhbXAubG9nIikKZXhlYyA+JjIKCmg9JChob3N0bmFtZSkKbG9nKCkgewogICAgZWNobyAiWyQxXVskKGRhdGUgIislWS0lbS0lZC0lSC0lTS0lUyIpXVskaF0gJDIiID4mMgp9Cgpsb2cgSU5GTyAiQXBwbHlpbmcgcGF0Y2ggZm9yIFBSICRwciIKCnZlcj0kKHZyYWNsaSB2ZXJzaW9uIHwgaGVhZCAtbiAxIHwgYXdrICd7cHJpbnQgJDN9JyB8IGF3ayAtRiAuICd7cHJpbnQgJDEkMiQzfScpCmlmIFsgIiR2ZXIiIC1sdCAiODE2MSIgXTsgdGhlbgogIGxvZyBJTkZPICJUaGlzIEtCIGlzIG9ubHkgYXBwbGljYWJsZSBmb3IgQXJpYSBBdXRvbWF0aW9uIGFuZCBBcmlhIE9yY2hlc3RyYXRvciB2ZXJzaW9uIDguMTYuMSBhbmQgYWJvdmUiCiAgZXhpdCAwCmZpCgppZiBncmVwIC1GcSAiU2tpcHBpbmcgdmFsaWRhdGlvbiBpbiBjYXNlIG9mIE1TQ2VydGlmaWNhdGVUZW1wbGF0ZSB2MyBleHRlbnNpb24iIC9vcHQvcHl0aG9uLW1vZHVsZXMvdnJhY2xpL2NvbW1hbmRzL2NlcnRpZmljYXRlcy5weQp0aGVuCiAgbG9nIElORk8gIlBhdGNoIGFscmVhZHkgYXBwbGllZC4gTm90aGluZyB0byBkby4iCiAgZXhpdCAwCmZpCgpsb2cgSU5GTyAiQmFja2luZyB1cCBvcmlnaW5hbCBmaWxlIHRvICRCQUNLVVBfRElSIgpta2RpciAtcCAkQkFDS1VQX0RJUgpjcCAvb3B0L3B5dGhvbi1tb2R1bGVzL3ZyYWNsaS9jb21tYW5kcy9jZXJ0aWZpY2F0ZXMucHkgJEJBQ0tVUF9ESVIvY2VydGlmaWNhdGVzLnB5CgpjZCAvCnBhdGNoIC0tbm8tYmFja3VwLWlmLW1pc21hdGNoIC1zIC1mIC0tcmVqZWN0LWZpbGU9LSAtcDEgPDwgJ0VPRicKLS0tIC9vcHQvcHl0aG9uLW1vZHVsZXMvdnJhY2xpL2NvbW1hbmRzL2NlcnRpZmljYXRlcy5weQorKysgL29wdC9weXRob24tbW9kdWxlcy92cmFjbGkvY29tbWFuZHMvY2VydGlmaWNhdGVzLnB5CkBAIC0zNTUsNyArMzU1LDE0IEBACiAKICAgICAgICAgaWYgYXJncy5wYXJzZToKICAgICAgICAgICAgIHNzbCA9IG9wZW5zc2wueDUwOShsb2dfcGF0aD1zZWxmLmxvZ19wYXRoKQotICAgICAgICAgICAgcGFyc2VkX2NoYWluID0gc3NsLmNlcnRpZmljYXRlX2NoYWluX2RldGFpbHMoJycuam9pbihjaGFpbikpCisKKyAgICAgICAgICAgIHRyeToKKyAgICAgICAgICAgICAgICBwYXJzZWRfY2hhaW4gPSBzc2wuY2VydGlmaWNhdGVfY2hhaW5fZGV0YWlscygnJy5qb2luKGNoYWluKSkKKyAgICAgICAgICAgIGV4Y2VwdCBWYWx1ZUVycm9yIGFzIGU6CisgICAgICAgICAgICAgICAgZXJyb3JfbWVzc2FnZSA9IHN0cihlKQorICAgICAgICAgICAgICAgIGlmICdQYXJzZUVycm9yJyBpbiBlcnJvcl9tZXNzYWdlIGFuZCAnTVNDZXJ0aWZpY2F0ZVRlbXBsYXRlJyBpbiBlcnJvcl9tZXNzYWdlOgorICAgICAgICAgICAgICAgICAgICBwcmludCAoIldBUk46IENhbiBub3QgcGFyc2UgY2hhaW4gaW4gY2FzZSBvZiBNU0NlcnRpZmljYXRlVGVtcGxhdGUgdjMgZXh0ZW5zaW9uLiIpCisgICAgICAgICAgICAgICAgICAgIHJldHVybgogCiAgICAgICAgICAgICBpZiBub3QgcGFyc2VkX2NoYWluOgogICAgICAgICAgICAgICAgIHAuc3RhdHVzX2NvZGUgPSAxCkBAIC0zNjksNyArMzc2LDE0IEBACiAKICAgICAgICAgICAgIGNoYWluID0nJy5qb2luKGNoYWluKQogCi0gICAgICAgICAgICBzdWNjZXNzLHBhcnNlZF9jaGFpbiA9IHNlbGYuY3J5cHRvX3ZhbGlkYXRlX2NlcnRfY2hhaW4oY2hhaW4sY2VydF9tYW5hZ2VtZW50LHBhc3N3b3JkPWtleV9wYXNzd29yZCkKKyAgICAgICAgICAgIHRyeToKKyAgICAgICAgICAgICAgICBzdWNjZXNzLHBhcnNlZF9jaGFpbiA9IHNlbGYuY3J5cHRvX3ZhbGlkYXRlX2NlcnRfY2hhaW4oY2hhaW4sY2VydF9tYW5hZ2VtZW50LHBhc3N3b3JkPWtleV9wYXNzd29yZCkKKyAgICAgICAgICAgIGV4Y2VwdCBWYWx1ZUVycm9yIGFzIGU6CisgICAgICAgICAgICAgICAgZXJyb3JfbWVzc2FnZSA9IHN0cihlKQorICAgICAgICAgICAgICAgIGlmICdQYXJzZUVycm9yJyBpbiBlcnJvcl9tZXNzYWdlIGFuZCAnTVNDZXJ0aWZpY2F0ZVRlbXBsYXRlJyBpbiBlcnJvcl9tZXNzYWdlOgorICAgICAgICAgICAgICAgICAgICBwcmludCAoIldBUk46IFNraXBwaW5nIHZhbGlkYXRpb24gaW4gY2FzZSBvZiBNU0NlcnRpZmljYXRlVGVtcGxhdGUgdjMgZXh0ZW5zaW9uLiIpCisgICAgICAgICAgICAgICAgICAgIGZvcmNlID0gVHJ1ZQorICAgICAgICAgICAgICAgICAgICBzdWNjZXNzID0gVHJ1ZQogCiAgICAgICAgICAgICBpZiBub3Qgc3VjY2VzczoKICAgICAgICAgICAgICAgICBwcmludCAocGFyc2VkX2NoYWluLGZpbGU9c3lzLnN0ZGVycikKRU9GCgpyZXN1bHQ9JD8KaWYgW1sgJHJlc3VsdCA9PSAwIF1dOyB0aGVuCiAgbG9nIElORk8gIlBhdGNoIGFwcGxpZWQgc3VjY2Vzc2Z1bGx5LiIKZWxzZQogIGxvZyBFUlJPUiAiRmFpbGVkIHRvIGFwcGx5IHBhdGNoLiIKZmkK" | bash -'
  3. Proceed with the intended certificate replacement operations as per the official product documentation, manually or through vRLCM.

 

The work around will not persist post-upgrade and will have to be reapplied if not upgrading to the patched version.  Applying the fix does not have any service impact or require any restarts so can be done at any time.

Powered by Wolken Software