A full resolution will be included with upcoming releases of VMware Aria Operations (SaaS) and VMware Aria Operations 8.14.x. Follow the
Workaround section for the temporary resolution.
Workaround:
To fix the issue, modify the
haproxy.cfg file to include the SNI extension.
- Log into the Cloud Proxy as root via SSH or Console.
- Run the following command to open /etc/haproxy/haproxy.cfg in a text editor:
vi /etc/haproxy/haproxy.cfg
- Press i to enter insert mode.
- In the lines at the end of the file that start with server VROPS, modify them to include the SNI check:
Example Original Line: server VROPS_0 gateway_fqdn:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem sni str(11229.gw.staging.vrops-ops.com)
Example Modified Line: server VROPS_0 gateway_fqdn:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
Example:
The following example shows a 3 Analytic node cluster with the modified configuration lines:
server VROPS_0 192.168.3.10:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
server VROPS_1 192.168.3.20:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
server VROPS_2 192.168.3.30:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
- Run the following command to restart the haproxy , httpd-north, vmware-casa and collector services:
service haproxy restart; service httpd-north restart; service vmware-casa restart; service collector restart
Important: Using the workaround steps will result in the changes being lost after a reboot of the Cloud Proxy, and the workaround steps will need to be reapplied.