Unable to make changes on VCD due to expired Avi controller certificate

search cancel

Unable to make changes on VCD due to expired Avi controller certificate

book

Article ID: 426536

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

Observing an error message when trying to apply sync with than existing Service Engine group to the VCD.

This will fail due to the following error message on VCD UI as shown in the image below.

I/O error on POST request for "https://<controller IP/ fqdn>/login": PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed - NotAfter:Date and time

Environment

VMware Avi Load Balancer with VMware Cloud Director (VCD)

Cause

This error happens because it was failing to login the controller due to expired controller certificate.

Resolution

Based on the requirement, the Controller certificate can be handled in one of the following ways:

Renew Existing Controller Certificate
Renewal is supported only for SSL certificates attached to a Management Profile.
Refer to: How to Renew Controller Certificate - Automatic Certificate Renewal
Create New Controller Certificate
A new certificate can be created by:
- Generating a CSR and importing a CA-signed certificate, or
- Generating a Self-Signed certificate directly on the Controller.
  Refer to: How to Create New Controller Certificate

Prerequisites for controller certificate renew:

Certificate must be attached to a Management Profile (for renewal).
Admin access to Controller UI/CLI.
Backup of existing certificate and key.
CA chain certificate available (if CA-signed).
Planned maintenance window if UI access may be impacted

Feedback

thumb_up Yes

thumb_down No