Negative Serial Number Certificate presented by tca-proxy service when CNF is trying to reach to the TCA Manager
search cancel

Negative Serial Number Certificate presented by tca-proxy service when CNF is trying to reach to the TCA Manager

book

Article ID: 419902

calendar_today

Updated On:

Products

VMware Telco Cloud Automation

Issue/Introduction

During the pre-check phase of a VMware Telco Cloud Automation (TCA) / EVNFM upgrade, the deployment manager fails to communicate with the Kubernetes cluster. The operation fails with a TLS handshake error indicating a certificate parsing issue.

The deployment_manager.log contains the following error:

[ERROR]: Error: Kubernetes cluster unreachable: Get "https://<IP_REDACTED>:8500/version": tls: failed to parse certificate from server: x509: negative serial number

Environment

3.2

Cause

The issue is caused by a malformed X.509 certificate generated by the TCA-M proxy component. The certificate possesses a negative serial number, which violates integer encoding rules expected by the Go-based TLS client in k8s clusters. This results in the client rejecting the connection during the upgrade pre-check.

Resolution

To resolve this issue, apply the patch to the TCA-M proxy component and regenerate the certificate using the steps below.

Prerequisites:

  • Obtain the patch file proxy-3.2.0-cert-patch.tgz from the Broadcom Support Portal.

  • Root access to the TCA-M appliance.

Procedure:

  1. Upload the Patch Transfer the proxy-3.2.0-cert-patch.tgz file to the TCA-M virtual machine (VM).

  2. Import and Retag the Image Log in to the TCA-M VM as root and execute the following ctr commands to import the patch and replace the faulty image. Note: Replace <registry_path> with the specific registry path for your environment if different from default.

    Bash
     
    # Import the patch image
ctr -n=k8s.io images import ./proxy-3.2.0-cert-patch.tgz

# Retag the current image to preserve it (optional backup)
ctr -n=k8s.io images tag <registry_path>/proxy@sha256:ae832e5ae5f47a3e7409b0b919ea31e4d84c5c4ad95ac6c7fd45d37efc281ae7 <local_registry>/proxy:3.2.0-original

# Remove the reference to the faulty image
ctr -n=k8s.io image rm <registry_path>/proxy@sha256:ae832e5ae5f47a3e7409b0b919ea31e4d84c5c4ad95ac6c7fd45d37efc281ae7

# Tag the patched image to the target registry path
ctr -n=k8s.io image tag <local_registry>/proxy:3.2.0-patch <registry_path>/proxy@sha256:ae832e5ae5f47a3e7409b0b919ea31e4d84c5c4ad95ac6c7fd45d37efc281ae7

  3. Clear the Invalid Certificate Access the database and delete the existing certificate entry to force regeneration.

    kubectl -n tca-mgr exec -it postgres-0 – /bin/bash
psql -d tca
    delete from proxy_service_certificates where type = 'Tca';

  4. Restart and Verify Restart the proxy component.

    Restart proxy service or delete proxy pod

    Once the service is online, retry the upgrade pre-check to verify the TLS handshake succeeds.

Attachments

proxy-3.2.0-cert-patch.tgz get_app
Powered by Wolken Software