This KB article details the procedure for using a script to remediate an incorrect platform ingress certificate

VCF services runtime
VCF Automation 9.1

This issue typically occurs when an invalid or incorrect certificate is applied. Common reasons include:

1. Incorrect Hostname or Subject Alternative Name (SAN)
2. Expired certificate
3. Self-signed or untrusted certificate

This KB should be used when the VMSP platform ingress is serving an incorrect certificate, which can manifest as:

1. External integrations failing to connect to the VMSP platform with TLS/certificate trust errors (e.g., "SSL certificate problem: unable to get local issuer certificate" or "PKIX path building failed").
2. Browser certificate warnings when accessing the platform FQDN -- the certificate is issued by an unexpected CA or doesn't match the expected domain.
3. openssl s_client -connect <platform-fqdn>:443 returns a certificate that doesn't match what was originally configured (wrong CN/SAN, wrong issuer, or self-signed when a CA-signed cert was expected).

This document is intended to remediate the following cases:

• Wrong hostname/SAN
• Expired certificate
• Self-signed/untrusted

Please run the attach cert-remediation.sh to renew the certificate.

1. Take a ssh to the VCFA node. 

2. Copy the attached script into /tmp folder. 

3. Change the permission of the file. 

   chmod +x cert-remediation.sh

4. Run the below command to execute the script:

   ./cert-remediation.sh