Failure while deploying Ops for Logs 9

Products

VCF Operations

Issue/Introduction

During the VCF Operations upgrade to 9.0.1, Trigger inventory sync is mandatory and it fails for Operations for logs component with Error Code: LCMVRLICONFIG40119
When attempting to deploy Operations for Logs appliances from Fleet Management. The Operations for Logs appliances are deployed. However, the deployment failed on Stage 12 with Error Code: LCMVRLICONFIG40119

Error occurred while pushing capabilities to VCF Ops Logs, statusCode : 504 : {"errorMessage":"Host connection problem.","errorCode":"VROPS_INTEGRATION_ERROR","errorDetails":{"errorCode":"com.vmware.loginsight.api.errors.vrops.host_connection_problem"}} : {"errorMessage":"Host connection problem.","errorCode":"VROPS_INTEGRATION_ERROR","errorDetails":{"errorCode":"com.vmware.loginsight.api.errors.vrops.host_connection_problem"}}

Environment

VCF Operations 9.x

Cause

Certificate validation issue coming from VCF Operations. The certificate of Primary node is different than the trusted VCF Operations certificate on VCF Operations for Logs.

On a VCF Operations cluster, when self-signed certificate is issued by default, each cluster node will have it's own slice certificate. Due to a Operations cluster reboot, and Replica role switched to Primary, the replica's certificate was added to the Operations for Logs truststore. The Operations for Logs is trying to validate but failed to validate the VCF Operations certificate. The following Error Exception can be seen on the /storage/var/loginsight/runtime.log

[2025-09-18 11:27:52.741+0000] ["application-akka.actor.default-dispatcher-387"/###.###.###.### ERROR] [com.vmware.loginsight.vropssuite.VropsSuiteApiRequest] [Unable to connect to the Realize Operations]
java.lang.RuntimeException: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
at com.vmware.ops.api.client.internal.RestClientProxy.invoke(RestClientProxy.java:237) ~[vcops-suiteapi-client-1.80.jar:?]
at com.vmware.ops.api.client.internal.DefaultClient$InvocationHandlerWrapper.invoke(DefaultClient.java:417) ~[vcops-suiteapi-client-1.80.jar:?]
at com.sun.proxy.$Proxy200.acquireToken(Unknown Source) ~[?:?]
at com.vmware.loginsight.vropssuite.VropsSuiteApiRequest.getAuthHeaderValue(VropsSuiteApiRequest.java:325) ~[vcops-lib.jar:?]
at com.vmware.loginsight.vropssuite.VropsSuiteApiRequest.urlConnectionRequest(VropsSuiteApiRequest.java:605) ~[vcops-lib.jar:?]
at com.vmware.loginsight.vropssuite.VropsSuiteApiRequest.tryConnection(VropsSuiteApiRequest.java:342) ~[vcops-lib.jar:?]
at com.vmware.loginsight.commons.vrops.VropsAdapterRestApi.testConnection(VropsAdapterRestApi.java:315) ~[vcops-lib.jar:?]
at com.vmware.loginsight.api.providers.vcfCapability.VCFCapabilityProvider.testConnectionVCF(VCFCapabilityProvider.java:217)

Resolution

SSH into the Operations for Logs appliance.
Perform the following openssl command to retrieve the certificate chain of the VCF Operations:
```
openssl s_client -connect VCF_OPERATION_FQDN:443 -showcerts
```
Identify and copy the root certificate. Save it to a root.crt file.

Perform the following command to add the root certificate to the Truststore.

keytool-no-provider -importcert -file root.crt -cacerts -alias vrops_root -storepass changeit

Perform steps 1 to 4 on all Operations for Logs nodes.
Go back to VCF Operations and retry the integration.

In case you face issues when adding the root certificate to the truststore. Please review the How to replace a corrupted truststore in Aria Operations for Logs KB article for resolution.

Alternatively, a custom certificate can be issued to the VCF Operations. When a custom certificate is issued, the same certificate is being sync to all nodes on the cluster, providing all nodes to have the same certificate fingerprint consistently. This will ensure no certificate validation issue on the endpoint Operations for Logs environment.

Here is a reference to Configure a Certificate For Use With VCF Operations