RabbitMQ on-demand service instance fails with "526 Invalid SSL Certificate" connecting to the dashboard
Article ID: 293155
Updated On:
Products
VMware RabbitMQ
Issue/Introduction
Connecting to the RabbitMQ Management UI dashboard fails with the below error after enabling the TLS for RabbitMQ on-demand service, creating the service instance, and binding with the application:
Background:
When you use TLS, you have provisioned a Tanzu RabbitMQ server with a certificate. With this certificate, apps and clients can establish an encrypted connection with the service. Through BOSH CredHub, Ops Manager generates a server certificate using a Certificate Authority (CA) certificate. If you do not want to use the CA certificate generated, you can provide your own CA certificate and add it through the CredHub CLI. Apps and clients use this CA certificate to check that the server certificate is trustworthy. A trustworthy server certificate allows apps and clients to securely communicate with the Tanzu RabbitMQ server.
526 Invalid SSL Certificate
Background:
When you use TLS, you have provisioned a Tanzu RabbitMQ server with a certificate. With this certificate, apps and clients can establish an encrypted connection with the service. Through BOSH CredHub, Ops Manager generates a server certificate using a Certificate Authority (CA) certificate. If you do not want to use the CA certificate generated, you can provide your own CA certificate and add it through the CredHub CLI. Apps and clients use this CA certificate to check that the server certificate is trustworthy. A trustworthy server certificate allows apps and clients to securely communicate with the Tanzu RabbitMQ server.
Resolution
Based on the Status Codes mapping in Gorouter Error Classification Table, the Status
code 526 corresponds to the Error Type "UntrustedCert".
Some of the scenarios the error is noticed are as follows:
To resolve the issue, please validate the following.
References:
Rotating Certificates
Gorouter Error Classification Table
Preparing for TLS
code 526 corresponds to the Error Type "UntrustedCert".
Some of the scenarios the error is noticed are as follows:
- The TLS certificate is not valid
- The TLS certificate is expired
- The “/services/tls_ca certificate” doesn't exist in the BOSH director's security -> trusted certs tab
- After the certificate rotation, the Apply changes were not run.
- The Preparing for TLS steps for VMware Tanzu RabbitMQ for VMs is not successful
To resolve the issue, please validate the following.
- Validate the certificate status to check if it is valid and not expired
- Verify that the “services/tls_ca certificate” uploaded to Credhub in the BOSH director is the same as the TLS CA certificate in the directory /var/vcap/jobs/rabbitmq-server/etc/conf.d/
- Check if the “/services/tls_ca certificate” exists in the BOSH director's security -> trusted certs tab
- Verify if the Apply changes have been run on the TAS tile so that the Gorouters can access the new trusted CA.
- Check if the Preparing for TLS steps for VMware Tanzu RabbitMQ for VMs are successful
References:
Rotating Certificates
Gorouter Error Classification Table
Preparing for TLS
Feedback
Yes
No
Powered by
