After upgrading the Cloud Proxy appliance from version 8.18.3 to 9.0.x, Cloud Proxy operations may become impacted due to the failure of the httpd-south.service to start. This issue occurs when the system is unable to generate a new Cloud-Proxy server certificate.
Upon reviewing the /var/log/httpd-south/error_log, the following error message can be observed, indicating an SSL certificate mismatch:
[ssl:emerg] [pid 25461:tid 25461] AH02565: Certificate and private key <CloudProxyIP>:8443:0 from /ucp/ssl/root/ca/certs/ucpapi.cert.pem and /ucp/ssl/root/ca/private/ucpapi.key do not match[ssl:emerg] [pid 25791:tid 25791] AH02565: Certificate and private key <CloudProxyIP>:8443:0 from /ucp/ssl/root/ca/certs/ucpapi.cert.pem and /ucp/ssl/root/ca/private/ucpapi.key do not match
Aria Operations Cloud Proxy 8.18.3
VCF Operations Cloud Proxy 9.0.x
During the upgrade to version 9.0.x, the internal CA certificate and its associated key pair may be inadvertently removed. In the absence of these components, the Cloud Proxy is unable to generate the required server certificate, which leads to the failure of the httpd-south.service to start.
To resolve this issue, manually regenerate the internal CA certificate along with the required server certificate, and then restart the affected service to restore normal operation.
cd /ucp/ssl/root/caopenssl genrsa -out private/ca.key 2048openssl pkcs8 -topk8 -v2 aes256 -passout pass:Ucp~123 -inform pem -in private/ca.key -outform pem -out private/ca.key.pemopenssl req -passin pass:Ucp~123 -subj "/C=IN/ST=KA/L=BLR/O=Broadcom, Inc./OU=Broadcom, Inc./CN=ucpca" -config openssl.cnf -key private/ca.key.pem -new -x509 -days 7300 -sha256 -extensions v3_ca -out certs/ca.cert.pemopenssl genrsa -out /ucp/ssl/root/ca/private/ucpapi.key 2048
openssl rsa -in /ucp/ssl/root/ca/private/ucpapi.key -pubout > /ucp/ssl/root/ca/private/ucpapi.pub
openssl pkcs8 -topk8 -v2 aes256 -passout pass:Ucp~123 -inform pem -in /ucp/ssl/root/ca/private/ucpapi.key -outform pem -out /ucp/ssl/root/ca/private/ucpapi.key.pemopenssl req -passin pass:Ucp~123 -subj "/C=IN/ST=KA/L=BLR/O=Broadcom, Inc./OU=Broadcom, Inc./CN=UCP_FQDN_4AGENT/[email protected]" -config /ucp/ssl/root/ca/openssl.cnf -addext "subjectAltName = DNS:UCP_FQDN_4AGENT" -key /ucp/ssl/root/ca/private/ucpapi.key.pem -newkey rsa:2048 -nodes -sha256 -out /ucp/ssl/root/ca/csr/ucpapi.csr.pem -days 7300openssl req -passin pass:Ucp~123 -subj "/C=IN/ST=KA/L=BLR/O=Broadcom, Inc./OU=Broadcom, Inc./CN=ucpapi" -config /ucp/ssl/root/ca/openssl.cnf -addext "subjectAltName = IP:UCP_FQDN_4AGENT" -key /ucp/ssl/root/ca/private/ucpapi.key.pem -newkey rsa:2048 -nodes -sha256 -out /ucp/ssl/root/ca/csr/ucpapi.csr.pem -days 7300openssl ca -batch -passin pass:Ucp~123 -config /ucp/ssl/root/ca/openssl.cnf -extensions server_cert -days 7300 -notext -md sha256 -in /ucp/ssl/root/ca/csr/ucpapi.csr.pem -out /ucp/ssl/root/ca/certs/ucpapi.cert.pemsystemctl restart httpd-south.serviceIf there are issues with VMs that are unable to Send Metrics to Cloud Proxy via Telegraf in Brownfield Deployments, please refer to this KB