Unable to apply Microsoft CA custom cert on VCF Operations for Logs 9.0
search cancel

Unable to apply Microsoft CA custom cert on VCF Operations for Logs 9.0

book

Article ID: 405738

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

  • Microsoft CA has been integrated with Fleet Management in VCF Operations 9.0
  • Attempting to replace the VCF Operations for Logs certificate with a configured CA certificate fails with the following banner:

    Certificate replacement for appliance <FQDN> has failed. Failed to perform specified operation. Applying certificate failed. Check VCF Operations Fleet Management logs at /var/log/vrlcm/vmware_vrlcm.log for additional information.
  • /var/log/vrlcm/vmware_vrlcm.log on the Fleet Management appliance contains messages similar to the following:

    2025-07-21T11:16:40.162Z INFO vrlcm[1254] [pool-3-thread-40] [c.v.v.l.d.v.InstallConfigureVRLI] – Return status code for VMware Aria Operations for Logs: 200
    2025-07-21T11:16:40.162Z INFO vrlcm[1254] [pool-3-thread-40] [c.v.v.l.p.v.VrliImportCertificateTask] – Version >= 4.7.0. Replacing certificate for VMware Aria Operations for Logs
    2025-07-21T11:16:40.163Z INFO vrlcm[1254] [pool-3-thread-40] [c.v.v.l.d.v.InstallConfigureVRLI] – Checking if Operations-logs instance is running
    2025-07-21T11:16:40.178Z INFO vrlcm[1254] [pool-3-thread-40] [c.v.v.l.u.CustomTrustManager] – Certificate chain trusted
    2025-07-21T11:16:40.205Z INFO vrlcm[1254] [pool-3-thread-40] [c.v.v.l.u.CustomTrustManager] – Certificate chain trusted
    2025-07-21T11:16:40.214Z INFO vrlcm[1254] [pool-3-thread-40] [c.v.v.l.d.v.InstallConfigureVRLI] – The Operations-logs instance https://#.#.#.# service is running
    2025-07-21T11:16:40.219Z INFO vrlcm[1254] [pool-3-thread-40] [c.v.v.l.u.CustomTrustManager] – Certificate chain trusted
    2025-07-21T11:16:41.579Z INFO vrlcm[1254] [pool-3-thread-40] [c.v.v.l.d.v.InstallConfigureVRLI] – certificate api response: statuscode = 400
    2025-07-21T11:16:41.579Z INFO vrlcm[1254] [pool-3-thread-40] [c.v.v.l.d.v.InstallConfigureVRLI] – certificate api response: message = Bad Request
    2025-07-21T11:16:41.579Z ERROR vrlcm[1254] [pool-3-thread-40] [c.v.v.l.p.v.VrliImportCertificateTask] – Applying certificate failed. Non Success status code:400 returned from Operations-logs
    2025-07-21T11:16:41.580Z INFO vrlcm[1254] [pool-3-thread-40] [c.v.v.l.p.a.s.Task] – Injecting task failure event. Error Code : 'LCMVRLISYSTEM45040', Retry : 'true', Causing Properties : '

  • /storage/core/loginsight/var/runtime.log on the VCF Operations for Logs appliance contains messages similar to the following:

    [2025-07-21 11:16:41.580+0000] ["DaemonCommands-thread-15"/#.#.#.# INFO] [com.vmware.loginsight.commons.executor.ProcessExecutor] [Finished executing /usr/lib/loginsight/application/sbin/default-ssl-certificate.sh --update-custom-cert, ran for 1270 ms]
    [2025-07-21 11:16:41.580+0000] ["DaemonCommands-thread-15"/#.#.#.# INFO] [com.vmware.loginsight.daemon.shared.ssl.SslCertificateManager] [SSL script result: [exitCode=3, stdOut=, stdErr=ERROR: Extra certificates are present in the certificate file. An intermediate certificate might be missing, or you have incorrect certificates in the file. ERROR: Root/Final certificate in chain is not self-signed. You are probably missing one or more certificates in the chain.]]

Environment

VCF Operations 9.0

VCF Operations for Logs 9.0

Resolution

This will be resolved in an upcoming release.

As a workaround, use the Replace With Imported Certificate flow until the issue is resolved.

Powered by Wolken Software