Tanzu Application Service smoke test fails

Looking at the smoke test logs, you see the following:

          ==============================Global Before Each==============================  
            
          HOME DIR> /var/vcap/data/smoke_tests/tmp/smoke-tests-#########  
            
          CMD> cf --version   
          OUT: cf version 8.8.3+3cd802e.2024-10-29  
            
          CMD> cf api https://api.sys.<domain>   
          OUT: Setting API endpoint to https://api.sys.<domain>...  
          ERR: Invalid SSL Cert for https://api.sys.<domain>  
          ERR: TIP: Use 'cf api --skip-ssl-validation' to continue with an insecure API endpoint  
          OUT: FAILED  
          ==============================Global After Each==============================  

We need to verify that the Ops Man CA is included in the Trusted Certs. You can check this in the Ops Manager UI, or you can check the p-bosh manifest. In the Support Bundle, this is under "deployed_manifest_and_configs", "p-bosh-<guid>/"manifest_most_recent_<date>.yml" Check for the value of "trusted_certs"; if it is null, then the CA needs to be added here.

trusted_certs: ''

If the foundation uses an externally-provided CA (for example, Verisign), then the CA needs to be copied into the Trusted Certs field (see the screenshot below). 

If the foundation uses an Ops Manager provided self-signed cert, the fix is to check the box "Include Tanzu Ops Manager Root CA in Trusted Certs" from bosh tile -> security tab (in OpsMan GUI).

Whether you copy in the CA or choose the checkbox for self-signed cert, you must then click "SAVE" and Apply Changes in order to establish trust; for each tile where there is an errand like "Upgrade All Service Instances," this errand should be enabled, so that the CA will be pushed to all VMs.