SSL Certificate Expiry warnings not fired as expected
search cancel

SSL Certificate Expiry warnings not fired as expected

book

Article ID: 409821

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • By default the Avi controller generates warning events when a SSL certificate is close to expiry. 
  • It generates an event at 30, 7 and 1 day to expiry. Refer to this document for more details. 
  • For environments where a certificate management profile is configured, automatic renewals are attempted based on the above expiry events. 
  • More specifically, if a certificate which is associated with a certificate management profile is about to expire, then the renewal process will be initiated in the last-but-one interval. Refer to this document for more details.
  • When this issue is hit, the certificate expiry events are not triggered in the expected order. 
  • This can cause the renewal to be delayed or not execute at expected intervals.
  • To understand if this issue has been hit, lets take the default values: 30, 7, 1.
    • With these values, the SSL certificate expiry event will be raised 30 days before expiry, 7 days before expiry and 1 day before expiry.
    • Because of the above bug, the first expiry event will be raised 1 day before the certificate is set to expire. 
    • With the expected behavior, the renewal is attempted 7 days before expiry and once more one day before expiry if the first attempt fails.
    • However, with the issue, the first event is raised 1 day before, so essentially, there is only one attempt to renew.

 

Environment

  • Avi versions 30.1.x, 30.2.1-30.2.3.

Cause

  • Any modification to the ControllerProperties can trigger this.
  • These include, but are not limited to:
    • Changes to the My Account settings via the UI.
    • Configuring "shared_ssl_certificate" knob via the CLI.
    • Toggling "cloud_reconcile" via the CLI.

Resolution

  • This issue has been fixed in version 30.2.4, which is also the current recommended release. Release Notification guide. 
  • To fix this issue, upgrade to at least 30.2.4 or above if available.
  • If upgrading immediately is not an option, increase the SSL expiry warning days to a higher value so that the renewal is attempted at a comfortable interval.
  • For example, you can set it to 40, 35, 30 days to trigger a renewal at 30 days before expiry. 
  • You can use the steps below to configure the same: 
    [admin:cntlr-ip]: > configure controller properties
[admin:cntlr-ip]: controllerproperties> ssl_certificate_expiry_warning_days 45
[admin:cntlr-ip]: controllerproperties> ssl_certificate_expiry_warning_days 35
[admin:cntlr-ip]: controllerproperties> ssl_certificate_expiry_warning_days 30
[admin:cntlr-ip]: controllerproperties> save
Powered by Wolken Software