Aria Orchestrator UI Inaccessible After Custom TLS Certificate Update Due to Private Key Format Mismatch

search cancel

Aria Orchestrator UI Inaccessible After Custom TLS Certificate Update Due to Private Key Format Mismatch

book

Article ID: 410702

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

When a custom TLS certificate is applied to the Aria Orchestrator appliance, the vRO user interface (UI) may become inaccessible, even though the underlying services appear to be running.

This often occurs due to a mismatch between the expected private key format (PKCS#8) and the actual format of the provided private key (PKCS#1) if its header was manually modified.

Environment

VMware Aria Automation Orchestrator 8.18.x

Cause

This issue arises from a specific private key format incompatibility:
- Private Key Generation: Customers often generate private keys using openssl req -nodes -newkey rsa:2048 -keyout ... (or similar commands), which by default produces a PKCS#8 formatted private key.
This key starts with the header -----BEGIN PRIVATE KEY-----.
- Documentation Example Misinterpretation: The official documentation (e.g., https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-automation/8-18/vco-installing-and-configuring-8-18/initial-configuration/manage-orchestrator-certificates/set-a-custom-tls-certificate-for-vrealize-orchestrator.html) provides an example where the private key is shown with a -----BEGIN RSA PRIVATE KEY----- header. This header indicates a PKCS#1 format.
- Manual Header Modification: If a user manually edits their PKCS#8 generated key's header to -----BEGIN RSA PRIVATE KEY----- without converting the underlying key format, it creates a malformed private key. The header then claims the key is PKCS#1, but its internal structure is still PKCS#8.
- Parsing Failure: When Aria Orchestrator's internal components attempt to process this malformed private key, they fail to parse it correctly. This prevents the TLS listener from being configured, making the web UI inaccessible.
Diagnostic Clue
The only log indicating this specific problem is found in the contour.log file on the vRO appliance:
```
/services-logs/prelude/contour/contour/console-logs/contour.log
time="2025-09-02T13:35:55Z" level=error msg="unresolved secret reference" context=IngressProcessor error="invalid TLS private key: x509: failed to parse private key (use ParsePKCS8PrivateKey instead for this key format)" name=dispatch namespace=prelude secret=prelude/contour-ingress-cert-and-key
```

Resolution

To resolve this issue, you must ensure that your private key is in the correct PKCS#8 format (with the -----BEGIN PRIVATE KEY----- header) when provided to Aria Orchestrator.

Connect to the Aria Orchestrator Appliance via SSH:
Connect as root to your Aria Orchestrator appliance.
- Verify the Converted Private Key:
  Open the newly created key file (e.g., vro_pkcs1.key) with a text editor (like vi or nano) and confirm that its header now correctly starts with:
```
-----BEGIN PRIVATE KEY-----
```
Re-apply the Custom TLS Certificate:
Follow the official documentation again, ensuring you use the newly converted PKCS#8 private key (vro_pkcs1.key) along with your primary, intermediate, and root certificates.
- Set a Custom TLS Certificate for vRealize Orchestrator
Verify UI Access:
After successfully re-applying the certificate with the correctly formatted private key, the Aria Orchestrator UI should become accessible.

Feedback

thumb_up Yes

thumb_down No