Recently I came across this strange issue where the Aria suite is deployed in VCF aware mode and now facing issues with the clustered WS1 admin account under password management in SDDC manager which shows disconnected.
The issue is that sddc cannot communicate with WS1 due to the certificate issue. The admin account password is not changed and still, when trying to synchronize the password from SDDC I was getting the below certificate error:
2023-07-28T10:10:40.092+0100 DEBUG [vcf_om,0000000000000000,0000] [c.v.v.s.t.DynamicTrustManager,reactor-http-epoll-2] Checking validity of certificate chain C=IN, O=VMware, OU=Horizon-Workspace, CN=.corp.local,C=IN, O=VMware, CN=vRealize Suite Lifecycle Manager Locker CA
2023-07-28T10:10:40.093+0100 DEBUG [vcf_om,0000000000000000,0000] [c.v.v.s.t.DynamicTrustManager,reactor-http-epoll-2] Error checking certificate chain C=IN, O=VMware, OU=Horizon-Workspace, CN=.corp.local,C=IN, O=VMware, CN=vRealize Suite Lifecycle Manager Locker CA for validity.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
2023-07-28T10:10:40.094+0100 DEBUG [vcf_om,0000000000000000,0000] [c.v.v.s.t.DynamicTrustManager,reactor-http-epoll-2] Trying to reload trusted certificates and recheck chain C=IN, O=VMware, OU=Horizon-Workspace, CN=.corp.local,C=IN, O=VMware, CN=vRealize Suite Lifecycle Manager Locker CA
2023-07-28T10:10:40.096+0100 DEBUG [vcf_om,0000000000000000,0000] [c.v.v.s.t.DynamicTrustManager,reactor-http-epoll-2] Custom Trust Strategy initialized.
2023-07-28T10:10:40.098+0100 WARN [vcf_om,0000000000000000,0000] [r.n.http.client.HttpClientConnect,reactor-http-epoll-2] [bd1f6f31, L:/192.168.10.10:33052 - R:vidm.corop.local/192.168.10.10:443] The connection observed an error
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetFrom the logs, it looks like CN is wrong here, either SAN/CN should match with resource FQDN to have an SSL connection.
I did verify the certificates which are installed for WS1 from vRSLCM it has the correct CN = vidm.corp.local (VIP FQDN) and the certificate includes the SAN names of the ws1 nodes. When I check the certificate from the browser the Issued to common name points to .corp.local instead of vidm.corp.local not sure where this common name .corp.local is registered in vRSLCM.
So as a troubleshooting step, I updated the ws1 cert with the correct CN vidm.corp.local, but still the issue persists, and the cert is correct on the LCM locker but when opened the cert in the browser I am seeing a mismatch with CN which is coming from the vRSLCM locker, so I am not sure where this is coming from coz the CN or SAN name in vrslcm for ws1 is this - vidm.corp.local.
Did validate that there are no other certificates available in the locker for ws1.
As this is a clustered WS1 deployment that has an LB running on NSX-T which was deployed as part of the initial deployment and the LB was deployed and configured by SDDC as this is VCF backed so checked the certs on LB and found that the incorrect certificate which was seen on the LB under SSL.
I had to upload the new certificate to the NSX-T using the below procedure:
Login to NSX UI using the admin credentials.
Click on System.
Click on Certificates under Settings.
Click on Import and select Certificate.
Specify the name of the certificate that you are uploading.
Upload the certificate chain/copy and paste the cert chain
Note: Cert chain should be in the below following order:
Server/Primary Certificate
Intermediate Certificate
Root Certificate
Next, upload the certificate key/copy and paste the key.
Save
Once you have the Certificate uploaded to the NSX-T you need to update/change the certificate on the LB to use the new/updated certificate. You need to update the certificate in the below places:
You can refer to the below steps to update the certificate on the LB:
Login to NSX UI using the admin credentials.
Click on Networking.
Click on Load balancing.
Click on Virtual Server
Edit the wsa-https
Click on Configure under SSL Configuration
From the dropdown of the Default certificate under Client and Server SSL select the newly uploaded certificate and click save.
Next, Click on Monitors and Edit the wsa-http-monitor
Click on Configure under SSL Configuration.
From the dropdown of the Client certificate select the newly uploaded certificate and click save.
Post updating the correct certificate on NSX-T LB I triggered a sync which was successful and I don't see a certificate error, I was also able to update/rotate the admin password for ws1 from SDDC under password management successfully.