Skip links

Cloud Director 10.1 Migration: PKIX path validation failed error when configuring

Author: Published on: Published in: VMware

I have been working with a customer on multiple migrations where the target architecture utilises the Cloud Director 10.1 appliance. We ran into an error when re-configuring one of the environments to use the migrated PostgreSQL database. This happened on all the cells in this instance.

sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: signature check failed

The configure command that we were running was similar to below:

/opt/vmware/vcloud-director/bin/configure --unattended-installation --database-type postgres --database-user vcloud--database-password db_password_new_primary --database-host 192.168.1.1 --database-port 5432 --database-name vcloud --database-ssl true --uuid --keystore /opt/vmware/vcloud-director/certificates.ks --keystore-password Passw0rd! --primary-ip 10.10.10.1 --console-proxy-ip 10.10.10.1 --console-proxy-port-https 8443

As a first step at troubleshooting, we ran the configure task again on the first (primary) cell but set the parameter –-database-ssl to false which worked fine and without error.

Re-running the configure command again with –-database-ssl true caused the error to be be displayed.

On the VMware website we found in the release notes troubleshooting steps regarding this issue: Reconfiguring the VMware Cloud Director Service Fails When Migrating or Restoring to VMware Cloud Director Appliance

Resolution

On the primary cell we ran the following command:

sed -i '/vcd_ova.crt/ s/$/ --force /' /opt/vmware/appliance/bin/appliance-sync.sh

We waited 1 minute and ran the configure command again. This worked on the first cell but the other two still showed the PKIK path validation error.

It was a simple task to run the configuration first with –-database-ssl false, then re-running the sed command above before re-running the configure command again with –-database-ssl true on the remaining cells.

*In the end we suspected that this error may have been caused by an expired Self Signed Certificate on the original source environment.

Leave a Comment