Deploying Spring Cloud Services Broker Fails with UAAC Target Error
search cancel

Deploying Spring Cloud Services Broker Fails with UAAC Target Error

book

Article ID: 297141

calendar_today

Updated On:

Products

Support Only for Spring

Issue/Introduction

Symptoms:

Running deploy service broker errand in Spring Cloud Services tiles results in the following error:

uaac target https://uaa.system.domain 
failed to access https://uaa.system.domain: Invalid SSL Cert for https://uaa.system.domain/login. 
Use '--skip-ssl-validation' to continue with an insecure target 
deploy-service-broker failed: exit status 1

Environment


Cause

This issue will occur when an Operator installs a privately signed certificate in their Load Balancer or HaProxy instance. The operator has also installed the Root Certificate Authority Chain into the "Trusted Certificates" field of the Director tile. Spring Cloud Services 1.4 uses UAAC during the broker deployment, and UAAC is not able to find the Private Certificate Authority and therefore can not trust the SSL certificate.

UAAC version 3.8 moved from "net/http" to "httpclient" which sources "$RUBY_INSTALL_PATH/gems/2.3.0/gems/httpclient-2.7.1/lib/httpclient/cacert.pem" certificate store and fails to find the OS installed certificates. Prior versions of UAAC do not have this problem. Httpclient will attempt to find the OS installed certification store using the following path which does not exist in the Ubuntutu stemcell

:~$ ruby -e "require 'openssl'; puts OpenSSL::X509::DEFAULT_CERT_FILE"
/usr/lib/ssl/cert.pem

 

Resolution

A future release of UAAC will have a fix for this issue. Spring Cloud Services downgraded UAAC version to 3.4.0 in SCS version 1.4.1. Upgrading to version 1.4.1 of SCS will allow the upgrade to succeed. 

Workaround 1

Disable SSL cert verification for the entire environment

Go to Elastic Runtime Tile -> Networking and check the box for "Disable SSL certificate verification for this environment."

Workaround 2 

Disable SSL cert verification only for SCS tile

  1. Modify the Spring Cloud services manifest in "/var/tempest/workspaces/default/deployments/p-spring-cloud-services-<hash>.yml" and set all occurrences of skip_cert_verify to true 
    skip_cert_verify: true
  2. Make sure to set the Bosh deployment to the modified SCS manifest 
    bosh deployment /var/tempest/workspaces/default/deployments/p-spring-cloud-services-<hash>.yml
  3. Run the deployment 
    bosh deploy
  4. Run the deploy broker errand 
    bosh run errand deploy-service-broker
  5. From Operations Manager Web interface, disable the "deploy-service-broker" errand in the SCS tile. If the errand is executed from Operations Manager, it will revert the changes and fail to run 

This issue has been fixed with SCS 1.4.1.

 


Powered by Wolken Software