Microsoft CA configuration fails with "Certificate authorities update failed" - VCF Operations
search cancel

Microsoft CA configuration fails with "Certificate authorities update failed" - VCF Operations

book

Article ID: 439417

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

When you attempt to add a Microsoft CA server to VCF Operations for certificate automation, you encounter the following symptoms:

  • You receive "Certificate authorities update failed" error message in the user interface.



  • The /var/log/vrlcm/vmware_vrlcm.log on the Fleet Manager appliance records an I/O error and java.net.SocketException: Connection reset when attempting to reach the CA server URL.
    YYYY-MM-DDTHH:MM:HH.SSZ INFO vrlcm[14095] [http-nio-8080-exec-7] [o.a.h.i.e.RetryExec] -- I/0 exception (java.net.SocketException) caught when processing request to {s}->https://<CA-Server>:443: Connection reset
    YYYY-MM-DDTHH:MM:HH.SSZ vrlcm[14095] [http-nio-8080-exec-7] [o.a.h.i.e.RetryExec] -- Retrying request to {s}->https://<CA-Server>:443
    YYYY-MM-DDTHH:MM:HH.SSZ ERROR vrlcm[14095] [http-nio-8080-exec-7] [c.v.v.1.1.c.MSCARestClient] -- Exception occurred while trying to validate Microsoft CA org.springframework.web.client. ResourceAccessException: I/0 error on GET request for "https://<CA-Server>/certsrv": Connection reset; nested exception is java.net.SocketException: Connection reset

  • Manual verification using openssl s_client --connect <CA-Server>:443 -showcerts from the Fleet Manager appliance shows that the leaf certificate presented by the CA server is expired.

Environment

  • VMware Cloud Foundation (VCF) 9.x
  • VCF Operations 9.x

Cause

This issue occurs because the TLS certificate bound to the IIS web service on the Microsoft CA server is expired. This expiration causes a connection reset during the SSL handshake between VCF Operations and the CA server.

Resolution

To resolve this issue, you must ensure the certsrv endpoint is accessible without SSL/TLS expiration warnings:

  1. Renew or replace the expired TLS certificate bound to the IIS web service on your Microsoft CA server.
  2. Verify the new certificate is valid and correctly bound to port 443.
  3. Once the certificate is valid, retry the Microsoft CA configuration within VCF Operations.

Replacing the expired certificate allows the SSL/TLS handshake between the VCF Operations Fleet Manager appliance and the Microsoft CA IIS server to complete successfully.

Powered by Wolken Software