8.x endpoint certificates upgrade pre-check fails due to missing certificate entries
Article ID: 425489
Updated On:
Products
Issue/Introduction
When you upgrade from Aria Automation 8.18.1 to VCFA 9.1.x, the Endpoint certificates check pre-check may fail with the following error:
One or more configured endpoints are missing certificate entries.
Environment
VCF Automation 9.1
Cause
In Aria Automation 8.18.1, when you register a vSphere or NSX-T endpoint whose certificate is signed by the same CA as the Aria Automation ingress certificate or by a well-known external CA, the vSphere adapter automatically trusts it as the CA is already present in the truststore. The certificate is not persisted into the provisioning-service database, and the endpoints remain healthy in 8.18.1.
During the upgrade to VCFA 9.1.x, only the Postgres database content migrates. Endpoints that rely on the implicit trust via the shared CA or the well-known external CA might no longer be trusted, causing the error No issuer certificate for certificate in certification path found and certificate_unknown(46) TLS failures post-upgrade.
The pre-check catches this condition in 9.1 before the upgrade proceeds, so you can resolve the issue on the source 8.18.1 environment first.
Resolution
Run the remediation script below on the source Aria Automation 8.18.1 environment before starting the upgrade. The script populates the ingress certificate chain into the provisioning database so that the trust relationship is preserved after migration.
Prerequisites
- Create a backup/snapshot of the source Aria Automation 8.18.1 appliance.
Remediation Steps
- SSH into one of the Aria Automation 8.18.1 nodes.
- Execute the following command:
base64 -d <<< "IyEvYmluL2Jhc2gKIwojIENvcHlyaWdodCAoYykgMjAyNiBCcm9hZGNvbS4gQWxsIFJpZ2h0cyBSZXNlcnZlZC4KIyBCcm9hZGNvbSBDb25maWRlbnRpYWwuIFRoZSB0ZXJtICJCcm9hZGNvbSIgcmVmZXJzIHRvIEJyb2FkY29tIEluYy4KIyBhbmQvb3IgaXRzIHN1YnNpZGlhcmllcy4KCnNldCAtZXUKCmV4cG9ydCBLVUJFQ1RMPSIke0tVQkVDVEw6LWt1YmVjdGx9IgoKIy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tIExvZ2dpbmcgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KbG9nRGlyPSIvdmFyL2xvZy92bXdhcmUvcHJlbHVkZSIKdGltZXN0YW1wPSQoZGF0ZSAnKyVZLSVtLSVkLSVILSVNLSVTJykKcHI9IlZDRkNPTi00MTk4MyIKTE9HX0ZJTEU9IiRsb2dEaXIvcGF0Y2gtcHIkcHItJHRpbWVzdGFtcC5sb2ciCgpta2RpciAtcCAiJGxvZ0RpciIKZXhlYyA+ID4odGVlIC1hICIkTE9HX0ZJTEUiKSAyPiYxCgpmdW5jdGlvbiBsb2coKSB7CiAgbG9jYWwgbXNnPSIkMSIKICBsb2NhbCBsZXZlbD0iJDIiCiAgbG9jYWwgZHQ9JChkYXRlICcrJVktJW0tJWQgJUg6JU06JVMnKQogIGxvY2FsIGhvc3ROYW1lPSIkKGhvc3RuYW1lIC1mKSIKCiAgZWNobyAiWyRsZXZlbF1bJGR0XVskaG9zdE5hbWVdICRtc2ciID4mMgp9CgpmdW5jdGlvbiBsb2dfaW5mbygpIHsKICBsb2cgIiQxIiAiSU5GTyIKfQoKZnVuY3Rpb24gbG9nX2Vycm9yKCkgewogIGxvZyAiJDEiICJFUlJPUiIKfQoKZnVuY3Rpb24gZGllKCkgewogICAgbG9nX2Vycm9yICIkMSIKICAgIGV4aXQgMQp9CgojLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0gREIgaGVscGVycyAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQpmdW5jdGlvbiBnZXRfcG9zdGdyZXNfcG9kKCkgewogICAgbG9jYWwgcG9kCiAgICBwb2Q9JCgiJEtVQkVDVEwiIC1uIHByZWx1ZGUgZ2V0IHBvZHMgLWwgYXBwPXBvc3RncmVzIC1vIGpzb25wYXRoPSd7Lml0ZW1zWzBdLm1ldGFkYXRhLm5hbWV9JykKICAgIFtbIC16ICIkcG9kIiBdXSAmJiBkaWUgIkZhaWxlZCB0byBmaW5kIHBvc3RncmVzIHBvZCBpbiBwcmVsdWRlIG5hbWVzcGFjZSIKICAgIGVjaG8gIiRwb2QiCn0KCmZ1bmN0aW9uIGV4ZWN1dGVfZGJfcXVlcnkoKSB7CiAgICBsb2NhbCBxdWVyeT0iJDEiCiAgICAiJEtVQkVDVEwiIC1uIHByZWx1ZGUgZXhlYyAiJFBPU1RHUkVTX1BPRCIgLS0gYmFzaCAtYyAicHNxbCAtcUF0IHBvc3RncmVzcWw6Ly9wcm92aXNpb25pbmctZGI6JHtQQVNTV0R9QFwkUEdQT09MX1NFUlZJQ0VfSE9TVDpcJFBHUE9PTF9TRVJWSUNFX1BPUlQvcHJvdmlzaW9uaW5nLWRiIC1jIFwiJHtxdWVyeX1cIiIKfQoKIy0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tIE1haW4gbG9naWMgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0KbG9nX2luZm8gIiMjIyBTdGFydGluZyBlbmRwb2ludCBjZXJ0aWZpY2F0ZXMgcGF0Y2ggKCRwcikiCgpQQVNTV0Q9JCgiJEtVQkVDVEwiIC1uIHByZWx1ZGUgZ2V0IHNlY3JldHMgZGItY3JlZGVudGlhbHMgLW8ganNvbnBhdGg9InsuZGF0YS5wcm92aXNpb25pbmctZGJ9IiB8IGJhc2U2NCAtZCkKW1sgLXogIiRQQVNTV0QiIF1dICYmIGRpZSAiRmFpbGVkIHRvIHJldHJpZXZlIGRhdGFiYXNlIHBhc3N3b3JkIgoKUE9TVEdSRVNfUE9EPSQoZ2V0X3Bvc3RncmVzX3BvZCkKbG9nX2luZm8gIlVzaW5nIHBvc3RncmVzIHBvZDogJFBPU1RHUkVTX1BPRCIKCmNlcnQ9L3RtcC9jZXJ0X2ZpbGVfZnFkbi5wZW0KbG9nX2luZm8gIkV4cG9ydGluZyBpbmdyZXNzIGNlcnRpZmljYXRlIGNoYWluIHRvICRjZXJ0Igp2cmFjbGkgY2VydGlmaWNhdGUgaW5ncmVzcyAtLWxpc3QgPiAiJGNlcnQiCgptYXBmaWxlIC1kICcnIGNlcnRpZmljYXRlcyA8IDwoCiAgICBhd2sgJwogICAgICAgIC8tLS0tLUJFR0lOIENFUlRJRklDQVRFLS0tLS0vIHsKICAgICAgICAgICAgaW5fY2VydCA9IDE7CiAgICAgICAgICAgIGNlcnRfYmxvY2sgPSAkMDsKICAgICAgICAgICAgbmV4dDsKICAgICAgICB9CgogICAgICAgIGluX2NlcnQgJiYgLy0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0vIHsKICAgICAgICAgICAgY2VydF9ibG9jayA9IGNlcnRfYmxvY2sgIlxuIiAkMDsKICAgICAgICAgICAgcHJpbnRmICIlc1wwIiwgY2VydF9ibG9jazsKICAgICAgICAgICAgaW5fY2VydCA9IDA7CiAgICAgICAgICAgIGNlcnRfYmxvY2sgPSAiIjsKICAgICAgICAgICAgbmV4dDsKICAgICAgICB9CgogICAgICAgIGluX2NlcnQgewogICAgICAgICAgICBjZXJ0X2Jsb2NrID0gY2VydF9ibG9jayAiXG4iICQwOwogICAgICAgIH0KICAgICcgIiRjZXJ0IgopCgppZiAoKCAkeyNjZXJ0aWZpY2F0ZXNbQF19ID09IDAgKSk7IHRoZW4KICAgIHJtIC1mICIkY2VydCIKICAgIGRpZSAiTm8gY2VydGlmaWNhdGVzIGZvdW5kIGluICckY2VydCcgb3IgZmlsZSBkb2VzIG5vdCBleGlzdC4iCmZpCgpsb2dfaW5mbyAiUGFyc2VkICR7I2NlcnRpZmljYXRlc1tAXX0gY2VydGlmaWNhdGVzocykgZnJvbSBpbmdyZXNzIGNoYWluIgoKbG9nX2luZm8gIkNsZWFyaW5nIGV4aXN0aW5nIGNlcnRfZXh0IGVudHJpZXMgZnJvbSBzc2xfdHJ1c3RfY2VydGlmaWNhdGVfc3RhdGUiCmV4ZWN1dGVfZGJfcXVlcnkgImRlbGV0ZSBmcm9tIHNzbF90cnVzdF9jZXJ0aWZpY2F0ZV9zdGF0ZSB3aGVyZSBkb2N1bWVudF9zZWxmX2xpbmsgbGlrZSAnY2VydF9leHRfJSc7IgoKbG9nX2luZm8gIkluc2VydGluZyBpbmdyZXNzIGNlcnRpZmljYXRlIGNoYWluIGludG8gc3NsX3RydXN0X2NlcnRpZmljYXRlX3N0YXRlIgpmb3IgaSBpbiAiJHshY2VydGlmaWNhdGVzW0BdfSI7IGRvCiAgICBleGVjdXRlX2RiX3F1ZXJ5ICJJTlNFUlQgSU5UTyBzc2xfdHJ1c3RfY2VydGlmaWNhdGVfc3RhdGUgKGRvY3VtZW50X3NlbGZfbGluayxjZXJ0aWZpY2F0ZSkgVkFMVUVTICgnY2VydF9leHRfJCgoaSsxKSknLCcke2NlcnRpZmljYXRlc1skaV19Jyk7IgogICAgbG9nX2luZm8gIkluc2VydGVkIGNlcnRfZXh0XyQoKGkrMSkpIgpkb25lCgpybSAtZiAiJGNlcnQiCmxvZ19pbmZvICIjIyMgRW5kcG9pbnQgY2VydGlmaWNhdGVzIHBhdGNoIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkiCg==" | bash - - Re-run the upgrade pre-check to verify the issue is resolved.
Rollback
If rollback is needed:
- Collect a support bundle before rolling back.
- Revert to the backup/snapshot created before applying the patch.
Feedback
