Adding a Docker host in the Container service results in SSL error in vRA 7.x
search cancel

Adding a Docker host in the Container service results in SSL error in vRA 7.x

book

Article ID: 339756

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Symptoms:
  • Adding Docker host in container service results in an SSL error.
  • You see error similar to:

    Error connecting to https://<remote_host>:<remote_port> : javax.net.ssl.SSLHandshakeException: General SSLEngine problem

    or

    Error connecting to https://<remote_host>:<remote_port</span> > : javax.net.ssl.SSLException: Received fatal alert: bad_certificate


Environment

VMware vRealize Automation 7.2.x
VMware vRealize Automation 7.3.x

Cause

This issue occurs when there are issues with certificate trust either in the server certificate or in the client certificate.
The first error (General SSLEngine problem) alludes to issues with the server certificate and if the client can trust it.
The second error (bad_certificate) is related to issues with the client certificate, this could be missing authentication extension or some other issue.

Resolution

This is a known issue affecting vRealize Automation 7.2.x and 7.3.x.

Currently, there is no resolution.

To work around this issue:
  1. Verify in Admiral/Container service credentials view that the client credential is entered correctly (both public and private key in PEM format).
  2. Check the certificate's validity and that the Enhanced Key Usage field contains Client Authentication (1.3.6.1.5.5.7.3.2).
  3. Verify that the CA who signed the client certificate is the same CA defined for the Docker host (tlscacert docker option, for more information, see https://docs.docker.com/engine/security/https/).

    Note: You can use openssl or another tool to check certificate extensions and verify that it is a valid client certificate.

  4. Verify trust for the server certificates whether they are valid, not expired and matching your host certificates.
  5. Log in to vRA appliance(s) through SSH or console session and restart the xenon-service by running the command:

    service xenon-service restart


Powered by Wolken Software