Avi Portal Certificate Not Updated After Automatic Renewal
Article ID: 407055
Updated On:
Products
VMware Avi Load Balancer
Issue/Introduction
When the Avi portal's SSL/TLS certificate is automatically renewed using a certificate management profile, the new certificate is not correctly applied to the system configuration.
As a result, the Avi Controller UI will continue to display and serve the old, pre-renewal certificate, even though a new one has been successfully generated.
Cause
- The underlying issue stems from how the certificate renewal API request is processed.
- The specific API call used for auto-renewal (
POST /api/sslkeyandcertificate/<uuid>/renew) does not trigger the required reconfiguration of the controller's web server. - In contrast, manually updating a certificate via
PUTorPATCHrequests correctly forces this reconfiguration, which loads the new certificate. - The absence of this trigger in the auto-renewal workflow causes the system to continue using the old certificate loaded in its active configuration.
Resolution
This issue has been resolved in the Avi version 31.2.1.
To permanently resolve this issue, it is recommended to upgrade Avi to this version once it is released.
Workaround:
- The new certificate can be forced into the active configuration with a simple action.
- Navigate to Administration > System Settings in the Avi UI and click Save without making any changes.
- This "dummy save" action triggers the necessary system reconfiguration and correctly applies the renewed certificate.
Feedback
Yes
No
Powered by
