Failed to create external identity provider for Supervisor "supervisor name" because a non-VMCA certificate is being used and only a leaf certificate was provided for TLS endpoint on Kubernetes API servers.
Article ID: 403437
Updated On:
Products
Issue/Introduction
When configuring an external identity provider for a Supervisor cluster, the following error is observed:
Failed to create external identity provider for Supervisor "supervisor name" because a non-VMCA certificate is being used and only a leaf certificate was provided for TLS endpoint on Kubernetes API servers. You should provide the full trust chain via the certificate management APIEnvironment
VMware vSphere Kubernetes Service
Cause
This issue occurs when only the leaf (Supervisor) certificate is added under the "Certificates" section during the IDP configuration.
For non-VMCA (custom CA) certificates, the full certificate chain must be provided—including the leaf certificate, the intermediate CA certificate, and the root CA certificate, in that specific order.
Resolution
Ensure that the full certificate chain is uploaded when configuring the external identity provider:
-
Add the leaf, intermediate, and root certificates in the correct order:
-----BEGIN CERTIFICATE----- (Supervisor/Leaf Certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Intermediate Certificate) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Root Certificate) -----END CERTIFICATE----- -
Upload this combined certificate under the Certificates section in the external identity provider configuration.
-
Save and reapply the configuration.
This should allow the Supervisor cluster to validate the certificate chain successfully and create the external identity provider without error.
Feedback
