Error: ""https://vcfa-host:443/api/versions": tls: failed to verify certificate: x509: certificate signed by unknown authority" when connecting Data Services Manager (DSM) to VCF Automation
Article ID: 398007
Updated On:
Products
Issue/Introduction
- Provider administrator tries to configure VMware Data Services Manager connection from VCF Automation provider portal VCF Services > Data Service, but fails to connect due to TLS error.
- Provider administrator tries to configure DSM connection from VCF Automation provider portal
VCF Services > Data Service, but failed to connect due to TLS error. - The console shows error message like
VCFA Binding Custom Resource is not ready: failed to create VCFA TM client: Get "https://vcfa-host:443/api/versions": tls: failed to verify certificate: x509: certificate signed by unknown authority.
Environment
- VCF Automation 9.0
- VMware Data Services Manager for VCF 9.0
Cause
This issue occurs when the VCF Automation 's TLS certificate is signed by a root CA certificate or an intermediate CA certificate.
Resolution
To resolve this issue, perform the following actions:
- Get VCF Automation root certificate for its public endpoint:
Navigate to VCF Automation Provider Portal > Administration > Certificate Management. Click the tab Certificates Library. You will see one or multiple certificates named as “restbaseuri.0”, “restbaseuri.1”, .., etc. The row with the largest index, i.e. “restbaseuri.1”, is the root certificate of VCF Automation.
a. Click Copy Pem and copy the content to the clipboard
b. Create a new file named vcfa-ca.yaml with below content. The VCF Automation root certificate you copied from UI should replace the lines from “-----BEGIN CERTIFICATE-----” to “-----END CERTIFICATE-----”.
Note: The certificate content should have the same indentation by multiple lines.
kind: ConfigMap
apiVersion: v1
metadata:
name: vcfa-ca
namespace: dsm-system
data:
tls.crt: |
-----BEGIN CERTIFICATE-----
MIIDhzCCAm+gAwIBAgIGAZeIWmbQMA0GCSqGSIb3DQEBCwUAMFIxMjAwBgNVBAMM
KVZDRiBPcGVyYXRpb25zIEZsZWV0IE1hbmFnZW1lbnQgTG9ja2VyIENBMQ8wDQYD
VQQKD … … NG9kl3Q==
-----END CERTIFICATE-----
c. Save the file - Create vcfa-ca ConfigMap in DSM Gateway:
You can use any one of the following options(REST API OR Local commands) to create the ConfigMap in DSM Gateway:
REST API
a. Add the signing certificate to DSM'dsm-system'namespace's ConfigMap and name it'vcfa-ca'through an API call against DSM endpoint. The signing certificate should be the root CA or intermediate CA of the VCF Automation public endpoint.
Sample CURL codes:
Exchange DSM JWT token by DSM admin user's username and password.
curl --location 'https://<dsm-host>/provider/session' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data-raw '{"username":"<dsm-admin-username>","password":"<dsm-admin-password>"} \
--verbose'b. From the printed output, copy out the JWT token from response header "Authorization".
c. Issue the API call to create a configmap for VCF Automation singing certificate.
curl --location 'https://<dsm-host>/api/v1/namespaces/dsm-system/configmaps' \
--header 'Authorization: Bearer <dsm-admin-jwt-token>' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json' \
--data '{
"kind":"ConfigMap",
"apiVersion":"v1",
"metadata":{
"name":"vcfa-ca"
},
"data":{
"tls.crt":"-----BEGIN CERTIFICATE-----\n ... \n-----END CERTIFICATE-----\n"
}
}'
Local Commands
a. SSH to the DSM appliance as a root account , copy the above vcfa-ca.yaml file to the host.
b. Run below commands in sequence:
cd /opt/vmware/tdm-provider/moneta-gateway
# apply config map
kubectl apply -f vcfa-ca.yaml -n dsm-system --kubeconfig kubeconfig-gateway.yaml
# view config map
kubectl get cm vcfa-ca -n dsm-system --kubeconfig kubeconfig-gateway.yaml -o yaml
# view bindings
kubectl get vcfabindings --kubeconfig kubeconfig-gateway.yaml -o yaml
# if necessary you can delete the config map (cm)
kubectl delete cm vcfa-ca -n dsm-system --kubeconfig kubeconfig-gateway.yaml
Feedback
