The Problem
I recently replaced the self-signed NSX-ALB certificates with a CA-signed (Microsoft CA) certificate, which caused a new unanticipated issue with TKGm deployment.
The TKGm installer wizard was complaining about the certificate validity. I knew there was nothing wrong with the certificate validity on NSX ALB because it was replaced just a few hours ago. Nonetheless, I double-checked the certificate expiration date, which is set to 2024.
After some jiggling, I investigated the bootstrap machine CLI terminal, where I issued the tanzu management-cluster create command, and spotted the main problem right away.
This is the error shown in the CLI.
|
1 |
E0313 12:55:20.639848 1549280 avisession.go:666] Client error for URI: login. Error: Post "https://alb.vstellar.local/login": x509: certificate signed by unknown authority |
Since the certificate is not signed by a Public CA, the bootstrapper machine has no idea about the CA server who signed this cert. I’d seen this problem before, so I knew I needed to import the CA Server root certificate into the Trust Store of my bootstrap machine’s operating system (Photon OS in my lab).
The Fix
Upload your CA Server root certificate to the photon machine and run the below commands to fix the issue.
|
1 2 3 4 5 |
# cat root-ca.cer >> /etc/pki/tls/certs/ca-bundle.crt # tdnf install -y openssl-c_rehash # rehash_ca_certificates.sh |
Close the current TKGm installer session and begin the installation process again. The certificate validity error has been rectified, and the ALB connection is reported as verified.
I hope you enjoyed reading this post. Feel free to share this on social media if it is worth sharing.