vRO 7.x service failing to start after replacing vRA certificate
Article ID: 345533
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
Note:The above log extract is only an example date and timestamp may vary, the key point here is that the SSO component registry url is referenced and that the message complains about an untrusted certificate.
- vRealize Orchestrator 7.x service fails to start after replacing the vRealize Automation certificate.
- This issue will only affect vRealize Orchestrator instances that leverage vRealize Automation as an authentication provider.
- The control center validation shows a number of flags regarding a pending service restart to apply a configuration change.
- In the vRO server.log located at /var/log/vmware/vco/app-server, you see the entries similar to:
2018-02-21 15:14:48.536+0100 [Thread-4] WARN {} [RetriableOperation] Exception handled during retry operation with message: I/O error on GET request for "https://vRA_FQDN/component-registry/endpoints/types/sso": java.security.cert.CertificateException: Untrusted certificate chain.; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted certificate chain
Note:The above log extract is only an example date and timestamp may vary, the key point here is that the SSO component registry url is referenced and that the message complains about an untrusted certificate.
Cause
This issue occurs because the vRealize Orchestrator certificate store has the old vRealize Automation certificate stored for the Authentication alias vco.cafe.component-registry.ssl.certificate.
Resolution
This issue is resolved in VMware vRealize Automation 7.3.0, available at VMware Downloads.
Workaround:
To work around this issue, verify the certificate and replace with new certificate if required.
Note: Take a snapshot of the vRealize Orchestrator appliance before manually making changes to the trust store.
Workaround:
To work around this issue, verify the certificate and replace with new certificate if required.
Note: Take a snapshot of the vRealize Orchestrator appliance before manually making changes to the trust store.
- Verify the trusted certificates from the vRO trust store.
- To list the trusted certificates, navigate to below locations:
cd /var/lib/vco/tools/configuration-cli/bin
- Run the below command:
./vro-configure.sh list-trust
- To list the trusted certificates, navigate to below locations:
- Check for the certificate with the following alias vco.cafe.component-registry.ssl.certificate
Note: This is the certificate of the vRealize Automation that the vRealize Orchestrator has configured as its authentication provider.
- This certificate should match the newly configured vRealize Automation certificate.
- If it is different, change the certificate by running this command:
./vro-configure.sh trust --registry-certificate <path-to-the-certificate-file-in-PEM-format> - Restart the vco-server service.
service vco-server restart
Feedback
Yes
No
Powered by
