Aria Automation Orchestrator Fails from Stale CA Keystore entry
search cancel

Aria Automation Orchestrator Fails from Stale CA Keystore entry

book

Article ID: 440755

calendar_today

Updated On:

Products

VCF Automation

Issue/Introduction

Following a recent vCenter Server SSL certificate replacement, the vCenter Server loses communication with remote Aria Automation Orchestrator nodes via the vSphere Client plugin (VCOIN). When logging into a vCenter Server in a Linked Mode environment, the Orchestrator home view displays the following message:

"Problem in communication with one or more Automation Orchestrator servers"

Additionally, context-menu tasks associated with the plugin become unavailable. Inspecting the backend Orchestrator logs reveals a definitive SSL rejection error indicating a WebSSO SAML2 certificate trust exception:

main error "https://<vCenter_FQDN>/websso/SAML2/Metadata/<Domain>": Certificate is not in CA store or is invalid.; nested exception is javax.net.ssl.SSLHandshakeException: Certificate is not in CA store or is invalid.

Environment

VCF Automation 9.x

Cause

The underlying cause is an incomplete SSL trust chain for WebSSO within the Aria Automation Orchestrator nodes.

Because the vCenter Servers are configured in Enhanced Linked Mode, logging into one vCenter attempts to populate the plugin with data from all registered Orchestrators. For an Orchestrator node to securely process the SAML2 SSO token from a vCenter it isn't directly registered to, it must explicitly trust that vCenter's SSL certificate. When the vCenter certificates were replaced, the newly minted certificates were not automatically imported into the trust stores of the other Orchestrator nodes. Consequently, the strict Java Virtual Machine (JVM) environment instantly terminates the connection upon seeing an unverified certificate, breaking the API trust and cross-vCenter communication.

Resolution

To resolve this issue, the old certificates must be cleared out and the new vCenter SSL certificates must be manually injected into the Orchestrator nodes' internal trust stores.

  1. Remove the Old Certificate:

    • Log into the Aria Automation Orchestrator client for the specific node(s) experiencing the communication drops.

    • Navigate to the Inventory view.

    • Expand the CA Keystore Inventory Plugin.

    • Locate and safely remove the old/expired SSL certificate entries associated with your vCenter Servers.

  2. Import the New Certificate:

    • Navigate to the Library > Workflows section within the Orchestrator client.

    • Search for and run the built-in Import a certificate from URL workflow.

    • When prompted, point the workflow directly to the newly updated vCenter URL (e.g., https://<vCenter_FQDN>).

    • Submit the workflow and accept the new certificate. This allows Orchestrator to securely append it to its CA store.

  3. Validation:

    • Repeat these steps for any other Orchestrator nodes participating in the Linked Mode environment.

    • Once the SSL handshake succeeds, refresh the vSphere Client. The WebSSO authentication flows will correctly process, instantly restoring the plugin's ability to display data and execute context-menu tasks.

Additional Information

Search in Inventory View:

 

Powered by Wolken Software