Network Insight (SaaS only) Collector VM fails to connect to the Service with Certificate Exception

Products

VMware Aria Operations for Networks

Issue/Introduction

This article provides steps to install Patch to fix this issue.

Symptoms:
Network Insight (SaaS only) Collector VM fails to connect to the Service with Certificate Exception.

To identify this issue there are several different options:

A. Through NI UI Landing Page / top right bell icon

B. Setting > Install and Support Page

C. Through CLI

1. Login as ConsoleUser
2. Run the log-trace follow nginx command.
3. This command should show messages similar to -

2019/06/26 06:37:39 [error] 26647#26647: *4127 upstream SSL certificate verify error: (10:certificate has expired) while SSL handshaking to upstream, client: 127.0.0.1, server: , request: "POST /saastocollectordatalinkservlet HTTP/1.1", upstream: "https://52.36.255.114:443/saassaastocollectordatalinkservlet", host: "localhost:9090"

2019/06/26 06:37:39 [error] 26647#26647: *4131 upstream SSL certificate verify error: (10:certificate has expired) while SSL handshaking to upstream, client: 127.0.0.1, server: , request: "POST /saastocollectorservlet HTTP/1.1", upstream: "https://35.164.132.248:443/saassaastocollectorservlet", host: "localhost:9090"

"2019-06-26T15:17:21+00:00", "remote_addr": "127.0.0.1", "request": "POST /collectortosaasservlet HTTP/1.1", "request_length(bytes)": "218053", "request_time(s)": "0.010", "bytes_sent": "316", "body_bytes_sent": "166", "upstream_response_time(s)": "0.004, 0.004", "status": "502", "http_referrer": "-", "http_user_agent": "Java/THttpClient", "http_x_forwarded_for": "-", "http_x_originating_url": "-", "gzip_ratio": "-"}

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Resolution

This is only applicable for SaaS customers.
Apply this patch only on Collector VM
This issue will be fixed in upcoming releases of vRealize network insight
A patch is available for download and to fix the issue

Download link

To apply the patch:

Log in to Network Insight Collector CLI using 'consoleuser' and run these commands:

To upload the bundle via URL(setups with no HTTP/Web-Proxy configured) :

(cli) tool-manager copy url https://s3-us-west-2.amazonaws.com/vrni-tools-archive/vRealizeNetworkInsight-4.1.0-P3-201906251030/vRealizeNetworkInsight-4.1.0-P3-201906251030.bundle

To upload the bundle via SCP:
Use WinSCP to copy bundle to the NI Collector

1. Start WinSCP

2. Change protocol to SCP
3. Connect to platform with 'consoleuser' and relevant credentials
4. Drag and Drop file into the 'consoleuser' home directory

To upload the bundle via SCP (from remote host where you copied the file):

(cli) tool-manager copy scp --host ip_of_server_where_the_file_is_located --user user_to_access_server --path path_to_file_on_the_server/vRealizeNetworkInsight-4.1.0-P3-201906251030.bundle

After the upload, apply the patch with:

(cli) tool-manager run --name vRealizeNetworkInsight-4.1.0-P3-201906251030.bundle

You see output similar to:
(cli) tool-manager run --name vRealizeNetworkInsight-4.1.0-P3-201906251030.bundle
Verifying and unpacking bundle
Unpacked bundle
Verified tool compliant

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Run: vRealizeNetworkInsight-4.1.0-P3-201906251030 +
+ Description: Update CA Chain used for client side server certificate validation +
+ Execution time: 2 minute +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Go ahead with run? (y/n) [Default y]:
Running...
Tool run completed
(cli)

To verify the patch installation, run below command

(cli) show-version
4.1.0.1561043128
4.1.0-P3-201906251030

NOTE: Once patch has been applied you will need to wait a minimum of 20 minutes for the errors in the UI to clear. If they do not please contact support.