vRealize Log Insight Agents don't handle expired Windows CA root certificates correctly
Article ID: 315927
Updated On:
Products
VMware Aria Suite
Issue/Introduction
This article provides steps that help the vRealize Log Insight agent handle expired Windows CA root certificates correctly.
Symptoms:
Symptoms:
- When there is an expired certificate and a valid certificate in Trusted Root Certification Authorities of the Windows client machine, the vRealize Log Insight Agent will not be able to differentiate it and can use the expired one. If the vRealize Log Insight agent uses the expired certificate, the communication between the Agent and Server will be broken.
- On the Windows client machine, under C:\ProgramData\VMware\Log Insight Agent\log\liagent_<date>.log, you see errors similar to:
2021-08-11 18:33:56.404452 0x00001a28 <trace> CFApiTransport:128 | Re-connecting to server syslog.domain.local:9543
2021-08-11 18:33:56.435707 0x00001a28 <warng> SSLVerifyContex:165| Certificate pre-verify error = 10 while trying connect to 'syslog.domain.local'. certificate has expired
2021-08-11 18:33:56.435707 0x00001a28 <error> CurlConnection:723 | Transport error while trying to connect to 'syslog.domain.local': SSL peer certificate or SSH remote key was not OK
2021-08-11 18:33:56.435707 0x00001a28 <trace> CFApiTransport:108 | Postponing connection to syslog.domain.local:9543 by 247 sec.
2021-08-11 18:38:15.165892 0x00001a28 <trace> CFApiTransport:128 | Re-connecting to server syslog.domain.local:9543
2021-08-11 18:38:15.197138 0x00001a28 <warng> SSLVerifyContex:165| Certificate pre-verify error = 10 while trying connect to 'syslog.domain.local'. certificate has expired
2021-08-11 18:38:15.197138 0x00001a28 <error> CurlConnection:723 | Transport error while trying to connect to 'syslog.domain.local': SSL peer certificate or SSH remote key was not OK
Note: The preceding log excerpts are only examples. Date, time, and environmental variables will vary depending on your environment.
2021-08-11 18:33:56.435707 0x00001a28 <warng> SSLVerifyContex:165| Certificate pre-verify error = 10 while trying connect to 'syslog.domain.local'. certificate has expired
2021-08-11 18:33:56.435707 0x00001a28 <error> CurlConnection:723 | Transport error while trying to connect to 'syslog.domain.local': SSL peer certificate or SSH remote key was not OK
2021-08-11 18:33:56.435707 0x00001a28 <trace> CFApiTransport:108 | Postponing connection to syslog.domain.local:9543 by 247 sec.
2021-08-11 18:38:15.165892 0x00001a28 <trace> CFApiTransport:128 | Re-connecting to server syslog.domain.local:9543
2021-08-11 18:38:15.197138 0x00001a28 <warng> SSLVerifyContex:165| Certificate pre-verify error = 10 while trying connect to 'syslog.domain.local'. certificate has expired
2021-08-11 18:38:15.197138 0x00001a28 <error> CurlConnection:723 | Transport error while trying to connect to 'syslog.domain.local': SSL peer certificate or SSH remote key was not OK
Note: The preceding log excerpts are only examples. Date, time, and environmental variables will vary depending on your environment.
Environment
VMware vRealize Log Insight 8.x
Resolution
This is a known issue affecting vRealize Log Insight 8.x, there is no resolution at this time. Please subscribe to this article to be informed when updates are published.
Workaround:
To workaround this issue, use either of the following two options:
Option 1:
Set ssl_accept_any=yes and ssl_accept_any_trusted=yes. This will enable the LI Agent to trust the certificate even with the expired root CA
Option 2:
Create a separate truststore with the valid root CA only, and point LI Agent to it using the ssl_ca_path property
All options are described in detail at https://docs.vmware.com/en/vRealize-Log-Insight/8.4/com.vmware.log-insight.administration.doc/GUID-D0727922-91E8-4352-B909-7595254620C5.html
Workaround:
To workaround this issue, use either of the following two options:
Option 1:
Set ssl_accept_any=yes and ssl_accept_any_trusted=yes. This will enable the LI Agent to trust the certificate even with the expired root CA
Option 2:
Create a separate truststore with the valid root CA only, and point LI Agent to it using the ssl_ca_path property
All options are described in detail at https://docs.vmware.com/en/vRealize-Log-Insight/8.4/com.vmware.log-insight.administration.doc/GUID-D0727922-91E8-4352-B909-7595254620C5.html
Feedback
Yes
No
Powered by
