After following the instructions in the 2 KB articles below, my NAC and NES are failing to connect over 8443/HTTPS.
The problem was found to be caused by a mismatch in SSL Certificates used by the NAC and NES.
After applying 22.214.171.1248 the environment in question experienced a problem with agents becoming unreachable. That problem, a solution and a workaround is described in this KB: Nolio Agents Unreachable After 6.7.0.b398
The workaround was applied to the environment in question. This means that the NES servers are using the old/expired certificates. So, when the NAC (with the new certificate) tried connecting to the NES via HTTPS/8443 (using the old certificate), it generates the following error in the logs/active_mq_nes.log on the NES:
Release : 6.7
Component : CA RELEASE AUTOMATION ADMINISTRATION
In theory, there are a couple of options to solve this. The first option is considered standard/official. The others should be okay. They just haven't been fully tested/certified:
The options are:
First, no changes should be needed on the NAC for this option. If it has 126.96.36.1998 applied then it should already have the new certificate in place and being used.
Next, these steps assume that the steps in the "Workaround" section of Nolio Agents Unreachable After 6.7.0.b398 were applied.
To use option the following changes would be needed on the NES that you want to connect to via HTTPS/8443: