Recently, if you have been using the Management Pack for AWS in vRealize Operations you may have noticed that you are no longer receiving metrics for AWS objects in vRealize Operations.
You will also see errors similar to the following in the AmazonAWSAdapter_XXXX.log:
2018-01-22 09:58:41,686 DEBUG [Collector worker thread 6] (2816) com.vmware.adapter3.amazonaws.AWSELBManager.refreshResources – Exception while refreshing Auto Scaling Groups resources:
java.util.concurrent.ExecutionException: com.amazonaws.AmazonClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.util.concurrent.FutureTask.get(FutureTask.java:206)
at com.vmware.adapter3.amazonaws.AWSELBManager.refreshResources(AWSELBManager.java:133)
at com.vmware.adapter3.amazonaws.AmazonAWSAdapter.refreshInventory(AmazonAWSAdapter.java:273)
at com.vmware.adapter3.amazonaws.AmazonAWSAdapter.onCollect(AmazonAWSAdapter.java:887)
at com.integrien.alive.common.adapter3.AdapterBase.collectBase(AdapterBase.java:717)
at com.integrien.alive.common.adapter3.AdapterBase.collect(AdapterBase.java:503)
at com.integrien.alive.collector.CollectorWorkItem3.run(CollectorWorkItem3.java:46)
at com.integrien.alive.common.util.ThreadPool$WorkerItem.run(ThreadPool.java:253)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:748)
Caused by: com.amazonaws.AmazonClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:471)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:295)
at com.amazonaws.services.elasticloadbalancing.AmazonElasticLoadBalancingClient.invoke(AmazonElasticLoadBalancingClient.java:2019)
at com.amazonaws.services.elasticloadbalancing.AmazonElasticLoadBalancingClient.describeLoadBalancers(AmazonElasticLoadBalancingClient.java:1885)
at com.amazonaws.services.elasticloadbalancing.AmazonElasticLoadBalancingAsyncClient$55.call(AmazonElasticLoadBalancingAsyncClient.java:3032)
at com.amazonaws.services.elasticloadbalancing.AmazonElasticLoadBalancingAsyncClient$55.call(AmazonElasticLoadBalancingAsyncClient.java:3030)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
… 3 more
So what’s causing this?
After some research from VMware Engineering they have determined that this has been caused by AWS changing the SSL Certificates on their API endpoints which are consumed by the Management Pack for AWS.
How do we fix this?
The current plan is this will be fixed in the next GA release of the Management Pack for AWS which is due out later this year (subject to change).
To workaround this issue, VMware have released a script which will automatically update the SSL certs in order to resume collections. I have been working with Global Support Services to create a public facing KB for this issue with links to the script which can be accessed here:
https://kb.vmware.com/kb/52482
Once you apply the script the data for AWS resources should now re-populate and display as expected.
If there is no change after applying the script, then I would advise to open a Support Request with VMware GSS to investigate further.
Thanks for reading and please feel free to leave a comment or message me on twitter (@lukaswinn) if you found this article useful.
–Lukas
lukaswinn.net 
Leave a Reply