VCF Operations for network certificate replacement initiated from Fleet Management failed with error LCMVRNICONFIG9019. 

Review of Fleet Management logs (/var/log/vrlcm/vmware_vrlcm.log) confirmed that while the certificate was successfully fetched from vRNI, the update certificate API call failed with HTTP 400 Bad Request. The request payload showed the private_key field as null, leading to the error message: “Either private key or certificate is missing in the request.” The task subsequently failed with error code LCMVRNICONFIG9019.

Snippets:

YYYY-MM-DDTHH:MM:SS.SSSZ INFO vrlcm[1307] [pool-3-thread-91] [c.v.v.l.p.c.v.d.h.VRNIUtils]  -- Successfully fetched certificates from vRNI
YYYY-MM-DDTHH:MM:SS.SSSZ INFO vrlcm[1307] [pool-3-thread-91] [c.v.v.l.p.c.v.d.h.VRNIUtils]  -- Calling update certificate API - path /api/ni/settings/certificates
/##################TA= - request - {"certificate":"-----BEGIN CERTIFICATE-----\nMI

[...]

rY=\n-----END CERTIFICATE-----\n","private_key":null}

YYYY-MM-DDTHH:MM:SS.SSSZ INFO vrlcm[1307] [pool-3-thread-91] [c.v.v.l.u.CustomTrustManager]  -- Certificate chain trusted
YYYY-MM-DDTHH:MM:SS.SSSZ INFO vrlcm[1307] [pool-3-thread-91] [c.v.v.l.p.c.v.d.h.VRNIUtils]  -- Response code - 400 and data - {"code":400,"message":"Bad Request","details":[{"code":400,"message":"Either private key or certificate is missing in the request.","target":[]}]}
YYYY-MM-DDTHH:MM:SS.SSSZ ERROR vrlcm[1307] [pool-3-thread-91] [c.v.v.l.p.c.v.d.h.VRNIUtils]  -- Failed to update certificate
YYYY-MM-DDTHH:MM:SS.SSSZ INFO vrlcm[1307] [pool-3-thread-91] [c.v.v.l.p.a.s.Task]  -- Injecting task failure event. Error Code : 'LCMVRNICONFIG9019', Retry : 'true', Causing Properties : '{ CAUSE ::  }'
com.vmware.vrealize.lcm.plugin.core.vrni.common.exception.VRNIPlatformException: Failed to update certificate. Try again
        at com.vmware.vrealize.lcm.plugin.core.vrni.certificate.ApplyVRNICertificateTask.execute(ApplyVRNICertificateTask.java:201) [vmlcm-vrniplugin-core-9.0.1.0-SNAPSHOT.jar!/:?]
        at com.vmware.vrealize.lcm.automata.core.TaskThread.run(TaskThread.java:62) [vmlcm-engineservice-core-9.0.1.0-SNAPSHOT.jar!/:?]
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
        at java.base/java.lang.Thread.run(Unknown Source) [?:?]
YYYY-MM-DDTHH:MM:SS.SSSZ INFO vrlcm[1307] [scheduling-1] [c.v.v.l.r.c.RequestProcessor]  -- Updating the Environment request status to FAILED for request ID : ########-####-####-####-########8f with request type : REPLACE_PRODUCT_CERTIFICATE.

VCF Operations 9.x

VCF Operations for Networks 9.x

Multiple attempts to import the certificate likely caused a race condition in the database, resulting in a null entry. Consequently, the private key associated with the imported CA-signed certificate was missing (set to null) in the Fleet Management database table vm_locker_certificate.

A manual database update is required to restore the missing private key entry in the Fleet Management database.
Please open a case with Broadcom Support for assistance and reference the relevant knowledge base article to safely perform the correction.

• The certificate chain itself was trusted, and certificate retrieval from vRNI was successful.
• Under normal conditions, importing a CA-signed certificate triggers an internal process that merges the private key into the vm_locker_certificate table.