Monitoring AWS in vROps? You may need to update your SSL Certs!

Recently, if you have been using the Management Pack for AWS in vRealize Operations you may have noticed that you are no longer receiving metrics for AWS objects in vRealize Operations.

You will also see errors similar to the following in the AmazonAWSAdapter_XXXX.log:

2018-01-22 09:58:41,686 DEBUG [Collector worker thread 6] (2816) com.vmware.adapter3.amazonaws.AWSELBManager.refreshResources – Exception while refreshing Auto Scaling Groups resources:
java.util.concurrent.ExecutionException: com.amazonaws.AmazonClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at java.util.concurrent.FutureTask.report(FutureTask.java:122)
          at java.util.concurrent.FutureTask.get(FutureTask.java:206)
          at com.vmware.adapter3.amazonaws.AWSELBManager.refreshResources(AWSELBManager.java:133)
          at com.vmware.adapter3.amazonaws.AmazonAWSAdapter.refreshInventory(AmazonAWSAdapter.java:273)
          at com.vmware.adapter3.amazonaws.AmazonAWSAdapter.onCollect(AmazonAWSAdapter.java:887)
          at com.integrien.alive.common.adapter3.AdapterBase.collectBase(AdapterBase.java:717)
          at com.integrien.alive.common.adapter3.AdapterBase.collect(AdapterBase.java:503)
          at com.integrien.alive.collector.CollectorWorkItem3.run(CollectorWorkItem3.java:46)
          at com.integrien.alive.common.util.ThreadPool$WorkerItem.run(ThreadPool.java:253)
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
          at java.lang.Thread.run(Thread.java:748)
Caused by: com.amazonaws.AmazonClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
          at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:471)
          at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:295)
          at com.amazonaws.services.elasticloadbalancing.AmazonElasticLoadBalancingClient.invoke(AmazonElasticLoadBalancingClient.java:2019)
          at com.amazonaws.services.elasticloadbalancing.AmazonElasticLoadBalancingClient.describeLoadBalancers(AmazonElasticLoadBalancingClient.java:1885)
          at com.amazonaws.services.elasticloadbalancing.AmazonElasticLoadBalancingAsyncClient$55.call(AmazonElasticLoadBalancingAsyncClient.java:3032)
          at com.amazonaws.services.elasticloadbalancing.AmazonElasticLoadBalancingAsyncClient$55.call(AmazonElasticLoadBalancingAsyncClient.java:3030)
          at java.util.concurrent.FutureTask.run(FutureTask.java:266)
          … 3 more

So what’s causing this?

After some research from VMware Engineering they have determined that this has been caused by AWS changing the SSL Certificates on their API endpoints which are consumed by the Management Pack for AWS.

How do we fix this?

The current plan is this will be fixed in the next GA release of the Management Pack for AWS which is due out later this year (subject to change).

To workaround this issue, VMware have released a script which will automatically update the SSL certs in order to resume collections.  I have been working with Global Support Services to create a public facing KB for this issue with links to the script which can be accessed here:
https://kb.vmware.com/kb/52482

Once you apply the script the data for AWS resources should now re-populate and display as expected.

If there is no change after applying the script, then I would advise to open a Support Request with VMware GSS to investigate further.

Thanks for reading and please feel free to leave a comment or message me on twitter (@lukaswinn) if you found this article useful.

–Lukas

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑

%d bloggers like this: