VMware

Overcoming LCMVRAVACONFIG90039 Errors in Aria Automation Platform Lifecycle

Leave a comment

Recently, I encountered an issue while trying to replace the self-signed certificate of Aria Automation using Aria Platform Lifecycle (formerly known as vRealize Lifecycle Manager). Despite signing my CSR (created via Aria Platform Lifecycle) with the customer’s CA using the ECDSA (Elliptic Curve Digital Signature Algorithm) hashing algorithm in their intermediate certificates, the replacement failed with error LCMVRAVACONFIG90039.

After importing the signed certificate into the Aria Platform Lifecycle locker via its UI, I attempted to replace the Aria Automation certificate using the respective Lifecycle day-2 operation. However, this failed yet again with the same error, even when I tried it with the skipCertificateValidate property enabled.

Upon digging into the Aria Automation logs, I found an error message that explained Aria Automation expects the encryption or hash algorithm to be one of sha256WithRSAEncryption, sha384WithRSAEncryption, or sha512WithRSAEncryption, while I was offering ecdsa-with-SHA256. This seemed like a purely arbitrary limitation, as I was able to successfully replace the certificate of Workspace One Access (VMware Identity Manager) with the same intermediate certificate chain.

To solve this issue, I found that using the vracli certificate command with the force parameter, as described in VMware KB article 76089, can skip the certificate validation during installation. The procedure is:

1. Force our certificate to be accepted as the Aria Automation Ingress certificate:

Apply the certificate (command must be run on all Aria Automation appliances):

vracli certificate force-accept –certificate

2. Once the re-deployment is completed, we must verify that the certificate has been changed successfully by navigating to the Aria Automation portal.

Previous Next

Your email address will not be published. Required fields are marked *

In conclusion, when trying to replace the self-signed certificate of Aria Automation using Aria Platform Lifecycle, we may encounter an arbitrary limitation in allowed encryption/hash algorithms. However, by using the vracli certificate command with the force parameter, we can skip the certificate validation and successfully replace the certificate. It is important to note that this solution only works for the Aria Automation Ingress certificate and not for other certificates.

Leave a Reply