When deploying a TKG supervisor cluster, you may encounter issues with the master control plane VM failing to validate the load balancer certificate with the following error.
Configured Load Balancer fronting the kubernetes API Server
Configuration error (since 1/19/2024, 3:55:22 AM)
The control plane VM 423c38e2c66a868e11a610ef7117880a was unable to validate the load balancer's (Avi - https://192.168.78.222:443/login) certificate. The certificate is invalid.
This can be frustrating as the certificate check occurs very late in the deployment process. In most cases, this issue is caused by a configuration error related to certificates. The issue occurs when NSX-ALB is not configured to use the custom controller certificate that you created.
To fix the issue, you must update NSX-ALB's access settings to engage the new controller certificate.
Unfortunately, since you already have vCenter cloud accounts configured, ALB wouldn't let you change the certificate. So before you proceed, you must temporarily convert the existing cloud account to "No Orchestrator" or delete it.
You will be warned how this would impact. Click YES, Continue.
Once the cloud accounts are converted to No Orchestrator, you can use the following procedure to configure NSX-ALB to use the custom-generated controller certificate.
If you have not already created a controller certificate, read Generating a custom controller certificate for NSX-ALB section of this blog.
Configure NSX-ALB to use a custom controller certificate
[1] Login to NSX-ALB - https://fqdn-of-nsx-alb
[2] Navigate to Administration | System Settings and Edit the settings.
[3] On the Edit System Settings, go to Access, scroll down to locate SSL/TLS Certificate. Remove the default certifcate entries and select the just the custom controller certificate that you created.
[4] Save the settings and reload the NSX-ALB management web page. It may be necessary to close the browser and clear the cache before the next step.
[5] Access the NSX-ALB URL again and check if it has picked up the custom controller certificate.
[6] Now log into the NSX-ALB, navigate to Infrastructure | Cloud to edit the vCenter clould account entries to
reconfigure it or simply recreate it.
Generating a custom Controller Certificate for NSX-ALB
The following is a sample procedure to generate a custom controller certificate for NSX-ALB for use with vSphere TKG:
[1] Login to NSX-ALB - https://fqdn-of-nsx-alb
[2] Navigate to Templates | Security | SSL/TLS Certificates
[3] Click CREATE and choose Controller Certificate.
[4] On the New Cerificate (SSL/TLS) supply the details necessary. However, ensure that you add two Subject Alternative Names(SANs) - one for the IP address of the NSX-ALB and the other for its FQDN. Click SAVE to create the certificate.
[5] You should now see the new controller certificate listed under SSL/TLS Certificates.
[6] Now, configure NSX-ALB's access setting to use the new certificate.
For instructions, refer to "Configure NSX-ALB to use a custom controller certificate" section of this
blog.