VMware Aria Orchestrator server is not accessible after updating the authentication vCenter Certificate.
search cancel

VMware Aria Orchestrator server is not accessible after updating the authentication vCenter Certificate.

book

Article ID: 386631

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Symptoms:

  • vco-app pods are stuck at 2/3 containers (or 1/2 in 8.18.x) according to kubectl -n prelude get pods
  • This means the main Orchestrator GUI does not load and it can't be used for any vRO tasks
  • The vCenter Server which authenticates Orchestrator has recently had its SSL certificate replaced
  • The main Orchestrator log shows an SSL cert error (/services-logs/prelude/vco-app/file-logs/vco-server-app.log) such as:
com.vmware.olln.security.auth.sso.ComponentManagerLookupService - Could not get Sso Endpoint information through service call. Fall back to local settings.
com.vmware.olln.cis. CisException: com.vmware.olln.cis.CisException: com.vmware.olln.cis.CisException: javax.net.ssl.SSLHandshakeException: Certificate is not in CA store or is invalid.
 ... Failed to instantiate ...
 ERROR vco [...] {} com.vmware.o11n.service.spring.bootstrap.ServiceBootstrap - Application context initialization failed!

Environment

  • VMware Aria Automation Orchestrator 8.x

Cause

The new certificate for the authenticating vCenter Server is not added to the vRO trust store

Resolution

Method 1

Add the new vCenter certificate to the Orchestrator trust store following steps in the documentation.

The documentation page for 8.18.1 and later references using an Orchestrator workflow of "Import a trusted certificate from a file".  KB article 404474 (How to import a trusted certificate to the keystore in VCO.) can be used for the steps.

 

Method 2

If it is not possible to access the Orchestrator UI in order to add this certificate, then the authenticating vCenter can be re-registered as the authenticator via the Orchestrator shell:

  1. First log in to the Orchestrator shell via SSH
  2. The authentication wizard can be run to set authentication, which will prompt you to enter for the appropriate details:
    • vracli vro authentication wizard

Alternatively this can be registered in non-interactive mode, using a command line similar to this example (this example configures vSphrere SSO for Authnetication):

  • vracli vro authentication set -p vsphere -hn https://my-vsphere.local -u [email protected] --tenant vsphere.local --admin-group Administrators --admin-group-domain vsphere.local

For further details on the command syntax, please see this article: Configuring the Automation Orchestrator Appliance authentication provider with the command line interface

Powered by Wolken Software