Failed to rotate vSphere with Tanzu Supervisor certificate when a HTTPS Proxy is configured
search cancel

Failed to rotate vSphere with Tanzu Supervisor certificate when a HTTPS Proxy is configured

book

Article ID: 395878

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

Failed to execute certmgr script from "Replace vSphere with Tanzu Supervisor Certificates"

time="YYYY-MM-DDThh:mm:ssZ" level=info msg="[/root/certmgr certificates rotate]"
time="YYYY-MM-DDThh:mm:ssZ" level=error msg="STS Issue HOK request failedPost \"https://<vCenter Server PNID>/sts/STSService/vsphere.local\": Forbidden"
time="YYYY-MM-DDThh:mm:ssZ" level=error msg="Failed to get STS token: Post \"https://<vCenter Server PNID>/sts/STSService/vsphere.local\": Forbidden"
time="YYYY-MM-DDThh:mm:ssZ" level=fatal msg="Failed to obtain VC client: %sfailed to login to VC: Post \"https://<vCenter Server PNID>/sts/STSService/vsphere.local\": Forbidden"

Note: Messages may vary depending on your environment.

Environment

vSphere with Tanzu, vSphere Supervisor

Cause

The certmgr script is affected by the HTTPS proxy settings on the vCenter Server.
A proxy can cause certmgr to fail access to the vCenter Server itself.

Resolution

Workaround 1: Configure the vCenter Server to not use a proxy when accessing itself
See resolution of "How to configure Proxy Settings for vCenter Server"

Workaround 2: Set NO_PROXY when excuting certmgr
no_proxy="localhost, 127.0.0.1, <vCenter Server PNID>" ./certmgr certificates rotate
Powered by Wolken Software