Supervisor control plane VM is unable to validate the Avi load balancer certificate

search cancel

Supervisor control plane VM is unable to validate the Avi load balancer certificate

book

Article ID: 401804

calendar_today

Updated On:

Products

VMware vSphere Kubernetes Service

Issue/Introduction

While deploying a new Supervisor cluster, the following error message is returned during the configuration process of the control plane VMs:

The control plane VM ******************************** was unable to validate the load balancer's (Avi - https://***.***.***.***:443/login) certificate. The certificate is invalid.

Environment

vSphere 7.x
vSphere 8.x
Avi Load Balancer

Cause

The wrong certificate was applied for the Avi load balancer during the Supervisor deployment configuration process. The SSL certificate belonging to the Avi load balancer must be provided during the Supervisor deployment process.

By default, the Avi Load Balancer uses an existing default self signed certificate which does not contain any Subject Alternative Name (SAN) information . Even when a new self signed certificate with the FQDN and IP address included in the SAN has been created within Avi, or a custom certificate with the SAN information has been uploaded to Avi, the existing default self signed certificate without SAN information is still in place and will need to be replaced.

Resolution

First ensure the Avi Load Balancer is using either a new self signed certificate or custom certificate with the FQDN and IP address included in the Subject Alternative Name (SAN), and the new certificate is applied to Avi. Follow the steps of the "Assign a Certificate to the Avi Load Balancer Controller" section from the following documentation, to apply the new certificate to Avi:

Assign a Certificate to the Avi Load Balancer Controller

The certificate that is provided during the new Supervisor deployment process must be the server SSL certificate with the correct SAN information that belongs to the Avi Load Balancer.

Apply the correct SSL certificate from the Avi Load Balancer to the Supervisor using the following steps:

Change Load Balancer Settings on a Supervisor Configured with VDS Networking

Additional Information

Additional details for troubleshooting Load Balancer Errors:

Resolving Errors Health Statuses on Supervisor Cluster During Initial Configuration Or Upgrade

Additional resources concerning the Avi Load Balancer:

Feedback

thumb_up Yes

thumb_down No