Generating self-signed certificate that meet VMware Aria Operations for Logs Agent validation requirements
search cancel

Generating self-signed certificate that meet VMware Aria Operations for Logs Agent validation requirements

book

Article ID: 433988

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

Renewing self-signed certificate to ensure continued acceptance by the VMware Aria Operations for Logs Agents.

The ssl_accept_any configuration for VMware Aria Operations for Logs Agents is not preferred by the customer, as updating it across multiple agents would incur significant administrative overhead.

The following error is observed in the agent logs:

Rejecting peer self signed certificate received from <NAME>. Public key doesn't match previously stored certificate's key.

Environment

VMware Aria Operations for Logs 8.18.x

Cause

If the VMware Aria Operations for Logs Agent has a locally stored self-signed certificate and receives a different valid self-signed certificate with the same public key, then the agent accepts the new certificate. This can happen when a self-signed certificate is regenerated using the same private key but with different details like new expiration date. Otherwise, connection is rejected. (Main SSL Functions)

Resolution

1. Verify that default.pem is the current self-signed certificate by comparing the serial numbers returned by the following two commands:

openssl x509 -in /usr/lib/loginsight/application/etc/certs/default.pem -noout -text

echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -text 

Note: The certificate file may have a different name, such as custom.pem, but it must be a self-signed certificate.

2. Extract the private key from the default.pem file:

cd /usr/lib/loginsight/application/etc/certs/

openssl pkey -in default.pem -out /tmp/server.key

3. Use the existing private key to generate a new self-signed certificate and assemble a replacement .pem file for the VMware Aria Operations for Logs renewal:

openssl req -new -x509 -key /tmp/server.key -out new_loginsight_cert.crt -days 3650

cat /tmp/server.key new_loginsight_cert.crt > new_loginsight_pem.pem

Note: This command will generate a self-signed certificate that is valid for 3650 days (10 years). You may alter the -days value as needed per your organization's security requirements.

4. Upload the new .pem certificate file to the VMware Aria Operations for Logs server. (Upload Signed Certificate)

Additional Information

Expired certificate in VMware Aria Operations for Logs 8.12 and Later

VMware Aria Operations for Logs Agents Do Not Send Logs

Powered by Wolken Software