OPERATIONAL DEFECT DATABASE
...
...
You have recently changed the vSphere certificate that is used as a Cloud Account in VMware Aria Automation SaaS / 8.x (formerly VMware vRealize Automation 8.x) You notice errors similar to Unavailable for Deployment or Failed to validate when attempting to update the Cloud Account.
When a vSphere certificate is changed, the Aria Automation user revalidates the Cloud account and accepts the new certificate but closes the Cloud account without saving. The certificate is then accepted in the trust store but not saved to the endpoint.
VMware is aware of this issue and is being considered for inclusion in a later release.See the Workaround section below for additional details.
Prerequisites Please take simultaneous non-memory snapshots of each virtual appliance(s) in the cluster. Use the quiesce option for versions 8.9.x and above. This article provides the option to update the Cloud Account using curl command from the CLI instead of using Postman. If using the CLI option, validate you have SSH access with root username and password to at least one of the appliances in the cluster. Collecting vCenter Cloud Account Information Obtain the Cloud Account ID and the username (vCenter Service Account) from the UI by opening the respective vCenter within the Aria Automation UI. Alternatively, using Postman or cURL, search for the cloud account id by using: GET /iaas/api/cloud-accountsAlternatively you can get the cloud account ID from the browser by going to Developer tools>Network tab, refresh the Cloud Account page and then Ctrl-F to search for /iaas/api/cloud-accounts. On Aria Automation SaaS: capture the Cloud proxy ID for use as dcid in the later payload.Capture the vCenter certificate in PEM format by running the following command: openssl s_client -connect ID1:443 2> /dev/null | openssl x509 | awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' Note: Replace ID1 with the vCenter FQDN.Note: This exact output will be used later. Obtain a Bearer token following the article Generate Access_Token/Bearer_Token in VRA 8.x for API Authentication or by using the browser DevTools using the next steps: Access Aria Automation from a web browser and loginOpen the web browser's Developer Tools > Network then copy the access bearer token. After capturing this information, proceed to the Standalone or vCF-enabled sections Procedure sections below to update the Cloud Account in Aria Automation. Procedure for Aria Automation SaaS and 8.x Using Postman Add the bearer in the authorization tab.Add the following API call: PATCH ID3/iaas/api/cloud-accounts/ID2?apiVersion=2021-07-15 In the body tab add the following information and then run the API call. { "privateKeyId": "ID4", "privateKey": "ID5", "certificateInfo": { "certificate": "ID6" } } Note: Please replace the IDx values considering: Replace ID2: with the cloud account id obtained in step 1 of the prerequisites.Replace ID3: with the Aria Automation FQDN.Replace ID4: with the username obtained in step 1 of the prerequisites.Replace ID5: with the password of the vCenter service account or username (ID4)Replace ID6: with the output of the command run in step 3 of the prerequisites.Replace ID7: with the bearer token obtained in step 4 of the prerequisites. Note: For SaaS, the Cloud Proxy ID that maps to this cloud account will be required as dcid in the payload. This also applies to the Using cURL section below. { "privateKeyId": "ID4", "dcid": "CloudProxyID", "privateKey": "ID5", "certificateInfo": { "certificate": "ID6" } } Close the Cloud Account if it is open in the UI, then validate the health of the Cloud Account. This may take 10 minutes to finish the data collection. Using cURL SSH to the appliance and run the following curl command: curl -k --location --request PATCH 'https://ID3/iaas/api/cloud-accounts/ID2?apiVersion=2021-07-15' \ --header 'Authorization: Bearer ID7' \ --header 'Content-Type: application/json' \ --data-raw '{ "privateKeyId": "ID4", "privateKey": "ID5", "certificateInfo": { "certificate": "ID6" } }' Note: Please replace the IDx values considering: Replace ID2: with the cloud account id obtained in step 1 of the prerequisites.Replace ID3: with the Aria Automation FQDN.Replace ID4: with the username obtained in step 1 of the prerequisites.Replace ID5: with the password of the vCenter service account or username (ID4)Replace ID6: with the output of the command run in step 3 of the prerequisites.Replace ID7: with the bearer token obtained in step 4 of the prerequisites. Close the Cloud Account if it is open in the UI, then validate the health of the Cloud Account. This may take 10 minutes to finish the data collection. Procedure for vCF-enabled Aria Automation instances GET the necessary cloud account details: GET root-url/provisioning/uerp/provisioning/mgmt/endpoints?expand Note: Use a valid bearer token for authorization Find the relevant VCF endpoint and look for customProperties. Copy the relevant nsx and "vsphere" property starting with "resources/endpoints/...". Use these to make the following GET calls to check those cloud accounts in Step 2. Check each of the NSX and vSphere cloud accounts using the links copied in Step 1 GET root-url/provisioning/uerp/resources/endpoints/xxx} If the certificate doesn't match the valid certificate for that endpoint, we will need to patch this cloud account. Patch cloud account with an updated certificate PATCH root-url/provisioning/uerp/resources/endpoints/xxx} { "endpointProperties": { "certificate": "updated-endpoint-certpem" }, "customProperties": { "certificate": "updated-endpoint-certpem" } } Finally update the vCF cloud account itself. certificate should be updated to reflect the updated vSphere certificate, and nsxCertificate should refer to the NSX endpoint certificate. Follow step 3 to make this change. Note: It is recommended to use Postman for ease of use, but the equivalent cURL commands are noted below. GET curl --location -g --request GET 'https://ID3/provisioning/uerp/provisioning/mgmt/endpoints?expand' \ --header 'Authorization: Bearer bearer token' curl --location -g --request PATCH 'https://ID3/provisioning/uerp/document-self-link' --header 'Authorization: Bearer {bearer token}' --header 'Content-Type: application/json' --data-raw '{ "endpointProperties": { "certificate": "updated-endpoint-certpem" }, "customProperties": { "certificate": "updated-endpoint-certpem" }}' Note: Replace the newline characters in the certpem with /n - the certpem should be entirely on one line.Note: root-url should be replaced with the FQDN of the of the Aria Automation appliance, similar to ID3 in the previous examples.
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
