• Certificate creation using certificate management profile fails with error :

[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain 

• This issue is typically seen when the Certificate Management endpoint uses a privately signed (internal) CA certificate.

All Avi LB versions

The error occurs because the Avi Controller cannot verify the SSL certificate presented by the Certificate Management Profile endpoint. When the endpoint's certificate is signed by a private (internal) root or intermediate Certificate Authority (CA), the Avi Controller does not trust it by default, since these private CA certificates are not included in its trusted certificate store.

Add the root and intermediate certificates to Avi controller. Follow the steps below:

1. Copy the root and intermediate certs (in .pem file) to /etc/ssl/certs on Avi Controller node.
2. Run the below command to rebuild the certificate hash links :
   
   c_rehash /usr/lib/ssl/certs

The above two steps must be carried out on all the controller nodes, if it is a three-node cluster. 

Please note that the steps must be re-done after an upgrade.