Symptoms
Configuring vRealize Operations Manager on Skyline Collector fails with error: “Certificate has expired. Please try a different configuration”.
Cause
This issue occurs after the Skyline Collector has been auto updated. Previous versions of the Skyline Collector enforced a valid certificate chain. If there are multiple certificates within the PEM file for vROps and if any old certificates are present, “the Skyline Collector will reject adding vRealize Operations Manager.Validate vROps Certificates by executing the following command:
/bin/grep -E --color=always -B1 'java.security.cert.CertPathValidatorException: validity check failed|java.security.cert.CertificateExpiredException' $ALIVE_BASE/user/log/*.log | /usr/bin/tail -20
Output containing a valid certificateWhen connecting to vROps using openssl, we see an expired certificate.Connect to the Skyline virtual machine collector console and execute the bellow command:
openssl s_client -connect {VROPS_HOST_ADDRESS}:443 -showcertsWhere VROPS_HOST_ADDRESS is the same address you've used to configure vROPS.
Found a cert had expired in the vROPs default certificate chain
Thumbprint: F4:D8:0D:24:31:8B:DA:0E:B9:B9:BF:D2:8B:31:41:75:51:34:7F:CASubject Alternate Name: localhost,127.0.0.1PublicKey Algorithm: RSAValid From: 2015-04-14T15:20:02.000ZValid To: 2020-04-13T15:20:02.000Z
Resolution
This issue is resolved on the VMware Skyline Collector 2.6.0.0
Workaround
Remove the old certificates from vRealize Operations.
Log into the Primary Node as root via SSH or Console by pressing ALT+F1 within the Console to log in.Run this command to back up the cacert.pem file:
cp /data/vcops/user/conf/ssl/cacert.pem /data/vcops/user/conf/ssl/cacert.pem.bak
Open /data/vcops/user/conf/ssl/cacert.pem in a text editor.
Example: vi /data/vcops/user/conf/ssl/cacert.pem
The certificates are listed with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- at the beginning and end of the certificate, respectively. Please remove all expired certificates (which is mostly the last two in the list).
Note: This may only leave one cert in the chain; this is to be expected.
Restart the web services by running the following command:
For vRealize Operations 7.x: service apache2 restart For vRealize Operations 8.x: service httpd restart
Repeat steps 1-5 on all nodes in the vRealize Operations cluster.
