This is a known issue affecting all versions of vRealize Log Insight.
To resolve this problem and avoid any issues, either perform the workaround detailed in this article, or u
pgrade to VMware Aria Operations for Logs 8.12 before the April 30th deadline.
Important: Run the following command on the vRealize Log Insight Primary node to confirm if the current certificate allows for Client Auth as one of the extended key use:
echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -purpose | grep 'SSL client :'
If the above command returns
SSL client : Yes, then you can upgrade to VMware Aria Operations for Logs 8.12. Please read
Important Upgrade Notes on Certificates from the
release notes before upgrading.
If the above command returns a value of
SSL client : No, DO NOT attempt the VMware Aria Operations for Logs 8.12 upgrade. Instead, create and apply a new custom certificate that allows Client Auth or revert to the default certificate by following the
Revert to the default certificate instructions. A custom certificate can be applied after upgrading to VMware Aria Operations for Logs 8.12, however the custom certificate must allow ClientAuth.
- Log into the vRealize Log Insight UI as the local admin user.
- Navigate to Configuration > SSL.
- Click RESET TO DEFAULTS....
- Click Reset.
If you are unable to upgrade to VMware Aria Operations for Logs 8.12, you must update/replace the existing certificates using the steps documented in this article.
To see which steps are required, see which of the Scenarios bellow apply to you.
- Scenario 1: Environment is using the default self-signed certificate that is expiring on April 30th 2023.The default certificate will need to be replaced by either a new custom certificate or by a new self-signed certificate. Once this is completed, the internal certificate will then need to be updated. The KB documents all of these steps.
- Scenario 2: Environment is using a updated self-signed certificate with an expiry date set after April 30th 2023. The internal certificate needs to be replaced using the steps in this KB. (Workaround Option 1 or Workaround Option 2 using the attached update_default_cert_v3.tar file.)
- Scenario 3: Environment is already using a custom certificate with an expiry date set after April 30th 2023. The internal certificate needs to be replaced using the steps in this Article. (Workaround Option 1 or Workaround Option 2 using the attached update_default_cert_v3.tar file.)
- Scenario 4: Environment is using a VMware vRealize Lifecycle Manager generated certificate with an expiration date set after April 30th 2023. The internal certificate needs to be replaced using the steps in this KB. (Workaround Option 1 or Workaround Option 2 using the attached update_default_cert_v3.tar file.)
Workaround:
Quick Links:
- Prior to proceeding, please preform a Guest Shutdown of all vRealize Log Insight nodes in the cluster and take snapshots.
- The update_default_cert.sh script attached to this article has been tested and validated on all supported versions of vRealize Log Insight. If the environment is running a version that is passed its EOGs date, then please upgrade to a supported version before executing the script. Refer to the Lifecycle Matrix for a list of supported versions.
- The workaround assumes that the SSL certificate is already updated from the default self-signed certificate to a custom, or a new self-signed certificate, with an expiration date later than April 30 2023. This can be checked via a browser pointed to the vRealize Log Insight instance as noted in the Symptoms section.
If that's not the case, see
Install a Custom SSL Certificate to create/install a new custom certificate, or use the following steps to generate a self-signed certificate, before executing the workaround steps.
- Log into the Primary node as root via SSH or Console.
- Run the following command to generate a self-signed certificate:
openssl req -newkey rsa:2048 -keyout domain.key -x509 -days 3650 -out domain.crt -nodes
Note: This command will generate a self-signed certificate that is valid for 3650 days (10 years). You may alter the -days value as needed per your organization's security requirements.
Note: When prompted by openssl, provide the required values for your company. If you want to use the default certificate options, enter the following values:
Prompt | Value |
---|
Country | US |
State Or Province | California |
Locality | Palo Alto |
Organization | VMware, Inc. |
Organization Unit | vCenter Log Insight |
Common Name | VMware vCenter Log Insight |
- Run the following command to concatenate the key and certificate into a pem file
cat domain.key domain.crt > /tmp/cert.pem
- Using an SCP utility like WinSCP, connect to the primary node as root, and download the /tmp/cert.pem file to your desktop.
- Log into the vRealize Log Insight UI as the local admin, expand the main menu and navigate to Configuration > SSL.
- Click Choose File, browse to the cert.pem file downloaded from step 4 and click Open.
- Click Save. This will automatically distribute the new certificate across all nodes in the vRealize Log Insight cluster. Wait for the SSL certificate to be updated.
- Refresh the vRealize Log Insight UI and validate whether the new certificate was applied via the browser.
- After you either have a self-signed certificate in place by following the above steps, or you have implemented a CA cert, with an expiration date later than April 30 2023, proceed to copy the update_default_cert_v3.tar file attached to this article on the right under the Attachments section to your vRealize Log Insight node(s).
- Download then copy the update_default_cert_v3.tar file to the /root directory using an SCP utility like WinSCP.
- Log into the vRealize Log Insight node as root via SSH or Console.
- Run the following command to extract the tar file:
tar xvf /root/update_default_cert_v3.tar
- Run the following command to update the permissions of the script:
chmod 744 /root/update_default_cert.sh
Examples:
- Repeat steps 1-4 for all nodes in the vRealize Log Insight cluster.
Follow one of the two options below to implement the workaround.
This option requires a simultaneous restart of all of the nodes, which is faster but doesn't guarantee ingestion and UI HA through VIP(s) during the procedure.
For each vRealize Log Insight node, complete the following:
- Log into the vRealize Log Insight node as root via SSH or Console.
- Run the following command to navigate to the root directory:
cd /root
- Run the following command on all nodes to execute the script with the --all option:
./update_default_cert.sh --all
- Once completed on all of the nodes, stop the loginsight service on all of the nodes by running the following command:
systemctl stop loginsight
Important: After running this, wait until all nodes in the cluster have returned to the command prompt prior to proceeding.
- Start the loginsight service on all of the nodes by running the following command:
systemctl start loginsight
Examples:
Note: If you receive the following output from running the script, you must generate and apply a certificate including the ClientAuth extended key usage as previously described in this article, and then re-attempt the workaround.
Current certificate does not have SSL client purpose
Please upload a new one from UI and retry
This option requires more steps, but guarantees ingestion and UI HA through VIP(s) during the procedure.
Stage 1
For each vRealize Log Insight node, complete the following:
- Log into the vRealize Log Insight node as root via SSH or Console.
- Run the following command to navigate to the root directory:
cd /root
- Run the following command to execute the script with the --stage1 option:
./update_default_cert.sh --stage1
- Run the following command to restart the loginsight service and wait until it's up and running before proceeding to the next node:
systemctl restart loginsight
Examples:
Once Stage 1 has been implemented on all nodes in the vRealize Log Insight cluster, proceed to stage 2.
Stage 2
Ensure the steps in Stage 1 have been completed for each node, then for each vRealize Log Insight node, complete the following:
- Log into the vRealize Log Insight node as root via SSH or Console.
- Run the following command to navigate to the root directory:
cd /root
- Run the following command to execute the script with the --stage2 option:
./update_default_cert.sh --stage2
- Run the following command to restart the loginsight service and wait until it's up and running before proceeding to the next node:
systemctl restart loginsight
Examples:
Note: If you receive the following output from running the script, you must generate and apply a certificate including the ClientAuth extended key usage as previously described in this article, and then re-attempt the workaround.
Current certificate does not have SSL client purpose
Please upload a new one from UI and retry