Hi There,
This article is for how to resolve the vRA replica nodes domain joining issues.
Let me tell you the background of this issue, I have upgraded my vRA environment 7.3 to 7.6 version successfully. After the upgrade, I introduced 2 replica nodes into vRA cluster to make it distributed deployment.
Once, i have added the replica nodes into vRA cluster successfully. I logged into my vRA portal default tenant and try to add these 2 nodes( which are basically called as connectors into vRA portal) to my Active Directory domain so that i can leverage the benefit of Load balancer and user authentication can be made via any nodes into the vRA cluster.
On vRA portal, go to Administration Tab, under Directories Management, click on Connectors tab
When i click on Join domain tab on my second Replica node, i got below error.
Connector communication failed with response: Certificate for <VRA002.cloudarena.com> doesn't match common name of the certificate subject: VRA001.cloudarena.com for the connector VRA002.cloudarena.com
This error is same for third Replica node as well.
Connector communication failed with response: Certificate for <VRA003.cloudarena.com> doesn't match common name of the certificate subject: VRA001.cloudarena.com for the connector VRA003.cloudarena.com
I checked my vRA certificate status and all my certificates are valid until Sep 2020.
I rebooted the whole stack of my vRA environment but still issue is same.
Then, we have a look on certificate part on replica nodes and figure out that
This article is for how to resolve the vRA replica nodes domain joining issues.
Let me tell you the background of this issue, I have upgraded my vRA environment 7.3 to 7.6 version successfully. After the upgrade, I introduced 2 replica nodes into vRA cluster to make it distributed deployment.
Once, i have added the replica nodes into vRA cluster successfully. I logged into my vRA portal default tenant and try to add these 2 nodes( which are basically called as connectors into vRA portal) to my Active Directory domain so that i can leverage the benefit of Load balancer and user authentication can be made via any nodes into the vRA cluster.
On vRA portal, go to Administration Tab, under Directories Management, click on Connectors tab
When i click on Join domain tab on my second Replica node, i got below error.
Connector communication failed with response: Certificate for <VRA002.cloudarena.com> doesn't match common name of the certificate subject: VRA001.cloudarena.com for the connector VRA002.cloudarena.com
This error is same for third Replica node as well.
Connector communication failed with response: Certificate for <VRA003.cloudarena.com> doesn't match common name of the certificate subject: VRA001.cloudarena.com for the connector VRA003.cloudarena.com
I checked my vRA certificate status and all my certificates are valid until Sep 2020.
I rebooted the whole stack of my vRA environment but still issue is same.
Then, we have a look on certificate part on replica nodes and figure out that
- As per the error, the newly deployed vRA replica
appliances were using the internal horizon certificate for the original
appliance VRA001.cloudarena.com
- This certificate is unrelated to the one we would have
generated and applied to vRA.
- We tried to run a command to update the certificates
locally on the 2 new replicas
- Run this command >>
- /usr/local/horizon/scripts/installExternalCertificate.hzn
--ca /usr/local/horizon/conf/root_ca.pem --cert
/usr/local/horizon/conf/VRA002.cloudarena.com_cert.pem --key
/usr/local/horizon/conf/VRA002.cloudarena.com_key.pem --alias
"horizoninternalcert"
/usr/local/horizon/conf/root_ca.pem --cert /usr/local/horizon/conf/VRA002.cloudarena.com_cert.pem --key /usr/local/horizon/conf/VRA002.cloudarena.com_key.pem --alias "horizoninternalcert" - This failed with the following error;
- keytool error: java.io.IOException: DER length more
than 4 bytes: 109
- Run steps to workaround this on both vRA replicas nodes;
- mkdir /root/tmp-bkp
- mv /usr/local/horizon/conf/flags/fips* /root/tmp-bkp
- /usr/local/horizon/scripts/secure/wizardssl.hzn
- mv /root/tmp-bkp/fips* /usr/local/horizon/conf/flags
- service horizon-workspace restart
- We now successfully joined the replica to AD domain.
The above steps needs to be run on both the replica nodes to update the correct certificates.
Now, we are able to join both the replica nodes to AD successfully without any errors.
Then we could add the load-balancer address to the directory config, to allow log in through the LB address.
Then we could add the load-balancer address to the directory config, to allow log in through the LB address.
Hope this was informative to you..Cheers..
No comments:
Post a Comment