ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

All gateways, including the PDPs are in Unregistered state.

book

Article ID: 237308

calendar_today

Updated On:

Products

Web Isolation

Issue/Introduction

Unable to register the Gateways/PDPs:

Environment

Release: 1.14.50

Resolution

Debugging the reported issue, following the issue description, the apparent cause of the "Unregistered" state of all the gateways, including the PDP and the management, was the expired certificate. For the technical tasks to validate this, please refer to the below.

  1. for GW / management:

    1. Connect to all the problematic GW,

    2. Search for the “async_services_storage” folder.

    3. Execute openssl x509 -enddate -noout -in<path_to_async_services_storage>/ca_certificate.pem

    4. Execute openssl x509 -enddate -noout -in <path_to_async_services_storage>/async_services_cert.pem

    5. Check the validity of the output. On all the gateways, it was confirmed that the certificate had expired on February 08, 2022.

  2. for PDP

    1. Connect to the problematic PDP gateways,

    2. Search for the “pdp_storage” folder.

    3. Execute openssl x509 -enddate -noout -in<path_to_pdp__storage>/ca_certificate.pem

    4. Execute openssl x509 -enddate -noout -in <path_to_pdp__storage>/pdp_cert.pem

    5. Check the validity of the output. On all the PDP, it was confirmed that the certificate had expired on February 08, 2022.

  3. Next, the R&D patch was deployed, and executed, on all the GWs/PDPs, successfully, one after the other. It was first executed on the management, and then to the other GWs/PDPs.
  4. One after the other, with the patch fix already executed on the PDP/GWs, the gateways were re-created/defined on the management and successfully registered, from scratch, to have the issue resolved.

Note that the patch is temporary and does not survive upgrade! It is preferable to perform the manual certificate renewal process (Manual - certificate renewal ), but if the environment is already down, or the customer has a 1.13 version, proceed with the TEMPORARY patch, which has to be provided by R&D. This implementation will require about 15 minutes, per gateway, and with one-minute downtime, per gateway, for the restart of the containers.

Also note that certificate expiration in itself wouldn't change the state of all the GWs to "Unregistered", and to help investigate and work to identify all the antecedents that followed the "Unregistered" state of the GWs, to help work to prevent future occurrence, requisite log files within the /var/log/fireglass.log directory, from all the affected GWs/PDPs would be required.