Auto certificate renewal failed with error "This is a task for REPLACE_CERTIFICATE of an appliance."
Article ID: 414058
Updated On:
Products
Issue/Introduction
You are able to auto renew certificate via the configured Microsoft CA integration on the Management domain. However, when you try to auto renew the certificates on the workload domain, the task failed with Error:
"Certificate replacement for appliance workload.example.com has failed. This is a task for REPLACE_CERTIFICATE of an appliance"
Environment
VCF Operations 9.0.1
Cause
Incorrect configuration on the Microsoft CA integration on the workload domain.
In Fleet Management > Certificates, the Microsoft CA integration is required to be configured on both the Management Domain and the Workload Domain. The Management Domain was configured and integrated properly. The Workload domain has the existing incorrect credential and CA template selected.
The following Error exception entry can be seen from the SDDC Manager /var/log/vmware/vcf/operationsmanager/operationsmanager.log:
"Generate certificate operation failed for workload.example.com, com.vmware.vcf.certmgmt.common.exception.CertificateManagementException: Failed to fetch certificate from Microsoft CA with Denied by Policy Module."
Resolution
- Go to
Fleet Management > Certificates > VCF Instances > <Workload Instance> - Click on "
Configure CA" - Update and Save the configuration. Ensure the configuration is consistent with the configured Microsoft CA integration on the Management Domain.
Once Microsoft CA integration is updated, the certificate renewal will complete successfully.
Feedback
