Rotation Status of CA certificate shows "Unknown state - contact support"
Article ID: 394611
Updated On:
Products
Issue/Introduction
At Tanzu Ops Manager > Certificates, "Rotation Status" column of CAs have below values:
- Ready to regenerate CA
- Ready to delete old CA
- Rotate parent CA
- Ready to activate new CA
- Needs propagation
- Unknown state - contact support
Except for "Unknown state - contact support", all above status have clear steps to follow in "Rotation procedure" column.
Environment
Tanzu Operations Manager
Cause
"Rotation Status" column of CA is determined by the below conditions, "Unknown state" is usually caused by previous unfinished certificate rotation.
|
latest_ca_version_transitional |
transitional_ca _exists |
all_latest_leafs_signed_by_latest_ca |
any_non_latest_leaf_active |
status |
|
False |
False |
True |
False |
Ready to regenerate CA |
|
True |
True |
False |
True |
Needs propagation |
|
True |
True |
False |
False |
Ready to activate new CA |
|
False |
True |
False |
X |
Ready to regenerate leaf |
|
False |
True |
True |
True |
Needs propagation |
|
False |
False |
True |
True |
Needs propagation |
|
Other combinations |
Unknown state - contact support |
|||
Resolution
Please download support bundle from Operations Manager and open support request with the bundle. Tanzu support will review the maestro topology output in support bundle and share next steps.
Feedback
