Enabling TLS on MySQL for VMware Tanzu tile causes error when applying changes
search cancel

Enabling TLS on MySQL for VMware Tanzu tile causes error when applying changes

book

Article ID: 297987

calendar_today

Updated On:

Products

VMware Tanzu Application Service for VMs

Issue/Introduction

When enabling TLS on the MySQL for VMware Tanzu tile it fails during the apply change. The broker.stdout.log for the MySQL for VMware Tanzu tile will report back that there is a bad certificate and also that it is unable to find an available leader. An example of the error message can be seen below.  
  
[on-demand-service-broker] [5ceb0b7-c6e-4ea-ae1c-925ba5638d] 2019/11/07 12:43:04.812800 external service adapter exited with 1 at /var/vcap/packages/odb-service-adapter/bin/service-adapter: stdout: 'Could not find an available leader from [https://162.67.112.19:8443]', stderr: '[odb-sdk] handling create-binding
[dedicated-mysql-adapter] 2019/11/07 12:43:04 Couldn't get read only information about URL https://162.67.112.19:8443, error: &errors.errorString{s:"GET https://162.67.112.19:8443/status failed: Get https://162.67.112.19:8443/status: remote error: tls: bad certificate"}
[odb-sdk] Could not find an available leader from [https://162.67.112.19:8443]
'
[on-demand-service-broker] [5ceb0b7-c6e-4ea-ae1c-925ba5638d] 2019/11/07 12:43:04.812825 creating binding: Could not find an available leader from [https://162.67.112.19:8443]


Environment

Product Version: 2.6

Resolution

The cause of this is not having an Application Security Group (ASG) set up for the MySQL for VMware Tanzu deployment. You can check this by running:  
cf security-groups
If you don't see an entry for p.msql then there is no ASG set up for the deployment. 

In order to create an ASG please follow these steps: 
  1. Obtain the CIDR that will be used for your ASGs. This is listed in the BOSH Director tile, under the Create Networks tab. In here you will find a Service Network. Please make a note of the CIDR for the Service Network. You will use in the next step. 
  2. Create a file called mysql-asg.json with with the following information. The CIDR is from step one. 
    • [ { "protocol": "tcp", "destination": "CIDR", "ports": "3306" } ]
  3. Use the CF CLI and the newly created JSON file to then create an ASG call p.mysql:
    • cf create-security-group p.mysql ./mysql-asg.json
  4. Then you will need to bind the ASG to the appropriate space or, to give all apps access, bind to the default-running ASG Set. 
    • cf bind-running-security-group p.mysql
After completing these steps you can then run cf security-groups again and you should see an output similar to the one below. 
     name                     organization   space   lifecycle
#0   default_security_group   <all>          <all>   running
     default_security_group   <all>          <all>   staging
#1   p.mysql                  <all>          <all>   running
#2   sql_open                 system         nfs     running


Powered by Wolken Software