vRealize Log Insight Internal Certificate issue

Issue

A KB91441 was recently published that affects vRLI internal certificate that will expire on April 30th. The expiration on the certificate will leading to a comunication failures in internode comunication in a vRLI cluster. However, this problem affects both cluster and single instance installation of a vRLI, so I invite you to read carefully the KB and act as soon as possible.

Before to act on the customer's production cluster environment I prefer to do some tests on the safe VMware HOL environment, using this LAB "Getting Started with Aria Operations for Logs (HOL-2201-03-CMP)".

Let's see below the tasks, following the KB "Updating the vRealize Log Insight Internal Certificate (91441)" step by step.

Solution

As the KB says:

This is a known issue affecting vRealize Log Insight 8.x.
The official resolution will be in the next vRealize Log Insight due out before April 30th 2023.

In my case the vRLI is a single instance version 8.4.

Below the verification steps before the fix:

1. Let's check the external certificates, also because the problem may not arise with the expiration of the external certificate, but it is actually the internal certificate that expires:
   
   Open a web browser and open the vRLI URL and verify the certificate
   
   
   
   
2. Get access to the vRealize Log Insight with user admin (Default built-in) > Administration > SSL.
   
   Click on “VIEW DETAILS…” of Existing Certificate
   
   
   
   As you can see here, the external certificates don't seems to expire imminently
   
   
3. Connect via SSH to the vRealize Log Insight appliance with root user and run the following command:
   
   

   # openssl x509 -in /storage/core/loginsight/cidata/cassandra/config/cacert.pem -enddate -noout

   
   If the result is as indicated in the figure above, it must be updated, even if in points 1. and 2. the certificate is not expired. If the result is different and expires beyond April 30, 2023, no certificate reconfiguration activities are required.
   
   

Below the workaround:

1. Take a cold snapshot of the vRealize Log Insight VM
   
   
   
2. Generating the new self-signed certificate:
   

   openssl req -newkey rsa:2048 -keyout domain.key -x509 -days 3650 -out domain.crt -nodes 

   When prompted by openssl, provide the required values for your company.
   
   Then run the following command to concatenate the key and cert into a pem file

   cat domain.key domain.crt > /tmp/cert.pem

   
3. Download the cert.pem file and upload it to vRealize Log Insight:
   Navigate to Configuration > SSL, click Choose File, browse to the cert.pem file previusly downloaded and click Open.
   Click Save. This will automatically distribute the new cert across all nodes in the vRealize Log Insight cluster. Wait for the SSL certificate to be updated.
   
   
4. Run the "update_default_cert.sh" script downloaded from VMware KB:

   # ./update_default_cert.sh --all

   Once completed, stop the loginsight service on the node by running the following command:

   # systemctl stop loginsight

   Start the loginsight service by running the following command:

   # systemctl start loginsight

   Execute the script with the verify option:

   # ./update_default_cert.sh --verify

   
5. Run the following command to validate that the new certificate is in place:

   # openssl x509 -in /storage/core/loginsight/cidata/cassandra/config/cacert.pem -enddate -noout

   
   Verify the certificate by UI as well:
   
   
   
6. If everything seems to be OK, remove the snapshot.

Another way to address the criticality is to upgrade vRealize Log Insight to new version before the April 30 deadline because the new 8.12 version is not affected by this issue.
At the time I'm posting this article (April 20th, 2023), the new release 8.12 has just been released, and is available for download.
VMware Aria Operations for Logs 8.12 release notes are available here.

That's it.