Recently, I wanted to replace the self-signed certificate of Aria Automation using Aria Platform Lifecycle (formerly known as vRealize Lifecycle Manager). The customer has signed my CSR (created via Aria Platform Lifecycle) through their CA using the ECDSA (Elliptic Curve Digital Signature Algorithm) hashing algorithm in their intermediate certificates.
This ultimately fails with error LCMVRAVACONFIG90039 due to some arbitrary restrictions in the backend of Aria Automation.
Importing the signed certficate in PEM format into the Aria Platform Lifecycle locker was finished successfully via its UI. The certificate has the following PEM format:
-----BEGIN RSA PRIVATE KEY-----
(Private Key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Primary SSL certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root CA certificate)
-----END CERTIFICATE-----Then I started the replacement of the Aria Automation certificate using the respective Lifecycle day-2 operation. Unfortunately this failed with error LCMVRAVACONFIG90039, even when I tried it again with the skipCertificateValidate property enabled.
Digging into the Aria Automation logs, I found the following error:
2023-09-11 09:02:13.566 INFO [pool-3-thread-47] c.v.v.l.u.SshUtils - -- Command: vracli certificate ingress --set /tmp/lcm-cert.pem --sha256 E45C18086AFB452E40C0886E110C4B157E5BDA78183B806846297041EB96E3A5
2023-09-11 09:02:13.567 INFO [pool-3-thread-47] c.v.v.l.u.SshUtils - -- ------------------------------------------------------
2023-09-11 09:02:15.319 INFO [pool-3-thread-47] c.v.v.l.u.SshUtils - -- exit-status: 1
2023-09-11 09:02:15.319 INFO [pool-3-thread-47] c.v.v.l.u.SshUtils - -- Command executed sucessfully
2023-09-11 09:02:15.320 INFO [pool-3-thread-47] c.v.v.l.u.SshUtils - -- Command execution response: {
"exitStatus" : 1,
"outputData" : "",
"errorData" : "Invalid encryption or hash algorithm: \nExpected one of: ['sha256WithRSAEncryption', 'sha384WithRSAEncryption', 'sha512WithRSAEncryption']\nFound: ecdsa-with-SHA256\n",
"commandTimedOut" : false
}The error message explains, that Aria Automation would expect the encryption or hash algorithm to be one of sha256WithRSAEncryption, sha384WithRSAEncryption, or sha512WithRSAEncryption, while I was offering ecdsa-with-SHA256.
There seems to be a purely arbitrary limitation of allowed encryption/hash algorithms in Aria Automation, as I was able to successfully replace the certificate of Workspace One Access (VMware Identity Manager) with the same intermediate certificate chain. Anyway, to solve this issue we can use the vracli certificate command with the force parameter as described in VMware KB article 76089. Using the force parameter skips the certificate validation during the installation.
The procedure is:
- Run command:
vracli certificate ingress --set stdin --force - Paste the PEM full chain in the format described above, press CTRL-D
- Expected result: ‘force’ parameter is set, forcing the operation.
- Run command:
vracli certificate ingress --list - Expected result: new certificate chain shown
- Run command:
/opt/scripts/deploy.sh - Expected result: Prelude has been deployed successfully
First, we force our certificate to be accepted as the Aria Automation Ingress certificate:
root@vra1a [ ~ ]# vracli certificate ingress --validate stdin --force
Please, paste the certificate chain for ingress and press ctrl-d
Be sure that certificate data is in PEM format and is constructed in the following way:
*. The private key. If the private key is encrypted, you will be asked for password.
*. Client certificate,
*. Intermediate CA certificate(s) and CA certificate (if there are such)
(cert_chain_begin)
-----BEGIN PRIVATE KEY-----
....
^D
(cert_chain_end)
If your private key is encrypted, please enter the password to decrypt it bellow.
Hit enter if no password is required.
Password:
'force' parameter is set, forcing the operation.
root@vra1a [ ~ ]#Apply the certificate (command must be run on all Aria Automation appliances):
root@vra1a [ ~ ]# /opt/scripts/deploy.sh
+ trap on_exit EXIT
+ export -f wait_deploy_health
+ log_stage 'Waiting for deploy healthcheck'
+ set +x
=========================
[2023-09-11 15:21:00.859+0000] Waiting for deploy healthcheck
=========================
+ timeout 300s bash -c wait_deploy_health
...
Prelude has been deployed successfullyOnce re-deployment is completed, we must verify, that the certificate has been changed successfully by navigating to the Aria Automation portal.
Leave a Reply