TCA vCenter certificate update fails due to SHA-1 thumbprint mismatch in UI
search cancel

TCA vCenter certificate update fails due to SHA-1 thumbprint mismatch in UI

book

Article ID: 435126

calendar_today

Updated On:

Products

VMware Telco Cloud Automation

Issue/Introduction

In the Telco Cloud Automation (TCA), attempts to update a vCenter certificate via the Graphical User Interface (UI) fail consistently. The UI incorrectly populates the Root certificate SHA-1 thumbprint into the update input field instead of the Leaf certificate SHA-1 thumbprint. Because this field is not user-editable in the UI, the validation fails during the certImport process.

Environment

3.3, 3.4

Cause

The TCA UI logic incorrectly selects the SHA-1 thumbprint of the Root certificate (the last certificate in the chain) to populate the thumbprint parameter for the certImport API call, rather than using the Leaf certificate's thumbprint.

 

Resolution

This issue is scheduled to be resolved in TCA 3.4.1.

As a workaround, the certificate update must be triggered manually using curl to ensure the correct Leaf certificate thumbprint is passed to the API.

Step-by-Step Workaround:

  1. Identify Required Data:

    • TCA Manager IP: <tca_manager_ip_address>

    • vCenter Instance UUID: <vcenter_instance_uuid>

    • System UUIDs: The UUIDs of the TCA-CP nodes associated with the vCenter.

    • Cluster IDs: The UUIDs of the impacted clusters.

    • Leaf Thumbprint: Obtain the SHA-1 thumbprint of the vCenter Leaf certificate.

    • Root Certificate: Obtain the Base64 encoded string of the Root certificate.

  2. Execute API Call via Curl: Use the following syntax to manually import the certificate:

    curl 'https://<tca_manager_ip_address>/tca/monitoring/api/v1/endpoints/<vcenter_instance_uuid>/action/certImport' \
-H 'accept: application/json' \
-H 'content-type: application/json' \
--data-raw '{
  "systemUuids": ["<TCA-CP_UUID_1>", "<TCA-CP_UUID_2>"],
  "certificate": "-----BEGIN CERTIFICATE-----\n<ROOT_CERT_CONTENT>\n-----END CERTIFICATE-----",
  "thumbprint": "<LEAF_CERT_SHA1_THUMBPRINT>",
  "clusterIds": ["<CLUSTER_UUID_1>", "<CLUSTER_UUID_2>"]
}' \
--insecure

     

    Note: The certificate field in the payload should contain the Root certificate (last in the chain), but the thumbprint field must be the SHA-1 thumbprint of the Leaf certificate.
Powered by Wolken Software