vROPS 6.6.1 Custom Certificates Time Zone Bug

EDIT – 10/3/17 Received a response from VMware GSS confirming this as a bug.  Expect a solution in a future release, for now you can use my workaround below.

vRealize Operations Manager 6.6.1 custom certificate import script has a bug related to checking validity period of the certificate.  It will read the certificate time in GMT, and compare to the local system time in local time zone.  It should translate GMT to the local time zone first, but it does not.  This will only affect you if you are close to the extremes of the validity period for the certificate you are trying to install, and the time zone vs. GMT delta is not in your favor.  I illustrate a workaround below, specifically I change the vROPs system local time zone temporarily to GMT.

Steps to reproduce
Generate a custom certificate using the VVD 4.1 CertGen tool on a properly time synchronized Windows Enterprise CA. Note the valid period for the certificate in my case:

Deploy vROPs OVA with time zone = PDT and proper NTP server, verify with:

Import a PEM file using the vROPs cluster installation wizard, and check the /var/log/casa_log/casa.log when it fails:

It appears the vropsCertificateTool.py script is ignoring the time zone information with the certificate and checking the validity date as if the certificate valid not before date was in the local time zone of the vROPS server, rather than converting from GMT to local time before verifying the validity of the cert.

Workaround

As a workaround, I changed the time zone on the vROPs system:

And then upload the correct PEM file in the vROPs cluster installation wizard, and it accepts the cert as valid.  After, you can change your time zone back by updating the symlink.

Note – I have a case open with GSS to report this bug, but probably most people just use the CertGen VVD tool early in the process, and thus enough time has passed between generating the certs and deploying the solution that this is a non-issue.  Hope this helps.

EDIT – See note at top.

 

Leave a Reply

Your email address will not be published. Required fields are marked *