• VIO LDAP Certificate expired alarm appeared during the viocli check health connectivity check.
• There are no alerts in vCenter or VIO UI about the LDAP cert messages
• Validated all the existing certificates and looks good.

#viocli check health 

connectivity.sh check_ldap_cert_expire: Check LDAP Certificate expiry status:
 
[ldap_5.crt]:Pass;
[ldap_4.crt]:Pass;
[ldap_3.crt]:Pass;
[ldap_2.crt]:expired:700 day(s) 3 hour(s);
[ldap_1.crt]:expired:699 day(s) 23 hour(s);
[ldap_0.crt]:Pass.

• VMware Integrated Openstack : 7.x

• These are expired certificates that remain in the system directory but aren’t actively used anymore and have not cleaned up.
• If VIO is still authenticating properly against your LDAP (AD/Identity source) and there are no authentication or Keystone issues, then the expired ones are just stale certificates from older rotations.
• VIO still triggers “LDAP certificate expired” alarms when it detects any expired file in /etc/ssl/certs/ldap_*.crt (or the equivalent path used in your deployment).

 Remove the stale LDAP certificate by following the steps below :      

1. Please SSH to vio-manager and run the following command 

#viocli update keystone

          2. Refer to the output from "viocli check health"

[ldap_5.crt]:Pass;
[ldap_4.crt]:Pass;
[ldap_3.crt]:Pass;
[ldap_2.crt]:expired:700 day(s) 3 hour(s);
[ldap_1.crt]:expired:699 day(s) 23 hour(s);
[ldap_0.crt]:Pass.

2. Under conf.ldap_cert, remove 1st, 2nd and 3rd certificate and keep 4th, 5th and 6th

             Note :

• • • Location for conf.ldap_cert : /etc/keystone/
    • Take a back-up of the "conf.ldap_cert" prior to making any changes.
    • ldap_0 is corresponding to 1st cert in spec.ldap_cert in keystone CR. Similar with ldap_1 and ldap_2. (2nd and 3rd certificate are expired and 1st certificate is the same as 4th)

3. Save the changes and wait until helm job refreshes keystone-etc secret.

4. Once keystone CR is edited as above, the health check output will have a new set of ldap_0, ldap_1, ldap_2 with none expired.