This KB outlines how to identify if the LDAP CA has expired in TMC SM and the steps to update it.

The initial symptom is a failure to login to TMC SM UI with error:

An internal error occurred. Please contact your administrator for help

TMC SM 1.4

Integrated with LDAP

Review the Identity Provider object in the cluster, it will be in Error state. A description of the Identity provider object will show that the LDAP CA is no longer valid.

kubectl get activeDirectoryIdentityProvider -n tmc-local
kubectl get ldapIdentityProvider -n tmc-local
kubectl describe activeDirectoryIdentityProvider  <Identity Provider Name>  -n tmc-local 

The pinniped-supervisor pod logs confirm that LDAP CA is no longer valid

Unexpected error during upstream LDAP authentication","warning":true,"error:"error dialing host "ldap.example.com\": LDAP Result Code 200 “Network Error”: tls: failed to verify certificate: x509: certificate signed by unknown authority

Retrieve current configuration for tmc package

tanzu package installed list -A
tanzu package installed get tmc-mission-control --namespace tmc-local --values-file-output tmc-values.yaml

Retrieve the latest LDAP CA from LDAP administrator or using below command:

openssl s_client  -host <LDAP Server> -port <LDAP Port> -showcerts

Update the ldap.rootCA in tmc-values.yaml with latest LDAP CA, it should be base64 encoded.

Update the package with new tmc-values.yaml

tanzu package installed update tmc-mission-control -p tmc.tanzu.vmware.com --namespace tmc-local --version <Version> --values-file tmc-values.yaml 

Monitor activeDirectoryIdentityProvider, confirm it stays in Ready state after the reconciliation 

kubectl get activeDirectoryIdentityProvider -A