After upgrading to PCF 2.3, PAS errands are failing when setting the CF API with: 525 SSL Handshake Failed
Article ID: 297586
Updated On:
Products
VMware Tanzu Application Service for VMs
Issue/Introduction
Symptoms:
After upgrading to PCF v2.3 from an earlier version, the PAS errands will fail with an error message similar to the following:
After upgrading to PCF v2.3 from an earlier version, the PAS errands will fail with an error message similar to the following:
Setting api endpoint to https://api.<SYS-DOMAIN>...
Unexpected Response
Response code: 525
CC code: 0
CC error code:
Description: 525 SSL Handshake Failed
FAILED
Look within the GoRouters logs located in /var/vcap/sys/log/gorouter/gorouter.err.log. You'll see many entries with the following error:
http: proxy error: remote error: tls: handshake failure
Environment
Cause
As of PCF v2.3, there is now an encrypted TLS connection between GoRouter and the CC.
This connection is encrypted using the default PCF Cipher Suites.
For more information, refer to TLS Connections in PCF documentation.
This connection is encrypted using the default PCF Cipher Suites.
For more information, refer to TLS Connections in PCF documentation.
Resolution
Your GoRouter needs to have the following Cipher Suites configured:
Add the Cipher Suites in
Once those Cipher Suites have been configured for use in GoRouter's TLS handshakes, the PAS Tile errands will complete successfully.
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
Add the Cipher Suites in
Ops Manager > PAS Tile > Networking > TLS Cipher Suites for Router:Once those Cipher Suites have been configured for use in GoRouter's TLS handshakes, the PAS Tile errands will complete successfully.
Feedback
Yes
No
Powered by
