Unable to apply Microsoft CA custom cert on VCF Operations for Logs 9.0
search cancel

Unable to apply Microsoft CA custom cert on VCF Operations for Logs 9.0

book

Article ID: 405738

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

  • Microsoft CA has been integrated with Fleet Management in VCF Operations 9.0
  • Attempting to replace the VCF Operations for Logs certificate with a configured CA certificate fails with the following banner:

    Certificate replacement for appliance <FQDN> has failed. Failed to perform specified operation. Applying certificate failed. Check VCF Operations Fleet Management logs at /var/log/vrlcm/vmware_vrlcm.log for additional information.
  • /var/log/vrlcm/vmware_vrlcm.log on the Fleet Management appliance contains messages similar to the following:

    YYYY-MM-DDTHH:MM:SS INFO vrlcm[####]  [c.v.v.l.d.v.InstallConfigureVRLI] – Return status code for VMware Aria Operations for Logs: 200
    YYYY-MM-DDTHH:MM:SS INFO vrlcm[####]  [c.v.v.l.p.v.VrliImportCertificateTask] – Version >= 4.7.0. Replacing certificate for VMware Aria Operations for Logs
    YYYY-MM-DDTHH:MM:SS INFO vrlcm[####]  [c.v.v.l.d.v.InstallConfigureVRLI] – Checking if Operations-logs instance is running
    YYYY-MM-DDTHH:MM:SS INFO vrlcm[####]  [c.v.v.l.u.CustomTrustManager] – Certificate chain trusted
    YYYY-MM-DDTHH:MM:SS INFO vrlcm[####]  [c.v.v.l.u.CustomTrustManager] – Certificate chain trusted
    YYYY-MM-DDTHH:MM:SS INFO vrlcm[####]  [c.v.v.l.d.v.InstallConfigureVRLI] – The Operations-logs instance https://#.#.#.# service is running
    YYYY-MM-DDTHH:MM:SS INFO vrlcm[####]  [c.v.v.l.u.CustomTrustManager] – Certificate chain trusted
    YYYY-MM-DDTHH:MM:SS INFO vrlcm[####]  [c.v.v.l.d.v.InstallConfigureVRLI] – certificate api response: statuscode = 400
    YYYY-MM-DDTHH:MM:SS INFO vrlcm[####]  [c.v.v.l.d.v.InstallConfigureVRLI] – certificate api response: message = Bad Request
    YYYY-MM-DDTHH:MM:SS ERROR vrlcm[####] [c.v.v.l.p.v.VrliImportCertificateTask] – Applying certificate failed. Non Success status code:400 returned from Operations-logs
    YYYY-MM-DDTHH:MM:SS INFO vrlcm[####]  [c.v.v.l.p.a.s.Task] – Injecting task failure event. Error Code : 'LCMVRLISYSTEM45040', Retry : 'true', Causing Properties : '

  • /storage/core/loginsight/var/runtime.log on the VCF Operations for Logs appliance contains messages similar to the following:

    [YYYY-MM-DDTHH:MM:SS] ["DaemonCommands-thread-##"/#.#.#.# INFO] [com.vmware.loginsight.commons.executor.ProcessExecutor] [Finished executing /usr/lib/loginsight/application/sbin/default-ssl-certificate.sh --update-custom-cert, ran for 1270 ms]
    [YYYY-MM-DDTHH:MM:SS] ["DaemonCommands-thread-##"/#.#.#.# INFO] [com.vmware.loginsight.daemon.shared.ssl.SslCertificateManager] [SSL script result: [exitCode=3, stdOut=, stdErr=ERROR: Extra certificates are present in the certificate file. An intermediate certificate might be missing, or you have incorrect certificates in the file. ERROR: Root/Final certificate in chain is not self-signed. You are probably missing one or more certificates in the chain.]]

Environment

VCF Operations 9.0

VCF Operations for Logs 9.0

Cause

Intermediate certificate(s) are not collecting, when we are replacing the certificate through configured MSCA (Intermediate CA) in VCF 9.0

Resolution

This is resolved in VCF 9.0.1 release

 

Additional Information

VCF 9.0.1 release notes: https://techdocs.broadcom.com/us/en/vmware-cis/vcf/vcf-9-0-and-later/9-0/release-notes/vmware-cloud-foundation-9-0-1-release-notes/vcf-operations-9-0-1-0000.html 

Powered by Wolken Software