VMware Tanzu Application Service for VMs

 View Only

 I seem to be getting a failed job error (canary) with mysql_monitor when I run PAS digging into the logs reveals that it is a x509 error, currently i'm using an internal CA to sign the certs. Has anyone encountered this issue before?

SENAI TEKLEMEMICHAEL's profile image
SENAI TEKLEMEMICHAEL posted Feb 11, 2020 08:09 PM

 /var/vcap/data/compile/replication-canary/src/replication-canary/vendor/code.cloudfoundry.org/lager/logger.go:152 +0x48b main.main() /var/vcap/data/compile/replication-canary/src/replication-canary/main.go:99 +0x1937 panic: Post https://uaa.sys.<redacted>.net/oauth/token: x509: certificate signed by unknown authority

Daniel Mikusa's profile image
Daniel Mikusa

Did you add the root CA that signed your cert to the Ops Manager -> Bosh Tile -> Security -> Trusted Certs box?

 

If you add that root CA cert to the above location, Bosh will deploy it to all VMs & containers, which allows apps and processes running there to trust the certs that you have deployed to the foundation.

 

Aside from that, you can check the box under PAS -> Networking to ignore SSL certificate validation, but that's strongly discouraged as it's insecure.

 

Hope that helps!

Daniel Mikusa's profile image
Daniel Mikusa

OK, that's good.

 

You would then need to add the cert + any intermediate CA certs + the private key on the PAS -> Networking tab where you configure the certs for Gorouter. If you have the root CA cert as trusted on all VMs, and the cert + intermediate CA certs configured on Gorouter, that should be sufficient for any client connecting from one of the VMs to trust your certificates.

 

See step #3 here -> https://docs.pivotal.io/platform/application-service/2-8/operating/configure-pas.html#networking

 

A couple notes:

 

1. The cert and intermediate CA certs all go in the same box. You'll want to put the cert first followed by any intermediate CA certs.

2. You may also need to put the cert and intermediate CA cert onto your load balancer. This depends on how you're terminating TLS. If it's first terminated on your load balancer (i.e. you're doing Layer7/HTTP load balancing) then you need the cert + intermediate CA certs deployed there as well. If you're using Layer4/TCP load balancing then termination happens first on the Gorouter and you don't need the certs to be on your load balancer.

 

Hope that helps!

SENAI TEKLEMEMICHAEL's profile image
SENAI TEKLEMEMICHAEL

yes i actually did add the cert to bosh and ticked the option to add to all VMs. Do i need to add the full-chain cert as well?

SENAI TEKLEMEMICHAEL's profile image
SENAI TEKLEMEMICHAEL

okay thank you I'll try that.