How to Include SNI extension in SSL handshake of VMware Aria Operations Cloud Proxy
Article ID: 341373
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
You may experience one or more of the following symptoms:
You may experience one or more of the following symptoms:
- After deployment, the Cloud Proxy does not appear in the Product UI of VMware Aria Operations.
- Cloud Proxies intermittently show as offline.
- The /var/log/haproxy-admin.log file on the Cloud Proxy contains Layer 6 errors, such as timeouts, handshake failures, etc.
- After restarting the haproxy service, the /var/log/haproxy-admin.log continues to show Layer 6 errors.
Environment
VMware Aria Operations 8.12.x
VMware Aria Operations 8.14.x
VMware Aria Operations 8.14.x
Cause
Some firewalls may be configured to check for the existence of the SNI extension in the client-hello request (SSL handshake) with appropriate FQDN (tenant endpoint).
When the Cloud Proxy does not contain the SNI extension, the firewall may drop the network connection resulting in the Cloud Proxy being unable to connect to the VMware Aria Operations cluster.
When the Cloud Proxy does not contain the SNI extension, the firewall may drop the network connection resulting in the Cloud Proxy being unable to connect to the VMware Aria Operations cluster.
Resolution
A full resolution will be included with upcoming releases of VMware Aria Operations (SaaS) and VMware Aria Operations 8.14.x. Follow the Workaround section for the temporary resolution.
Workaround:
To fix the issue, modify the haproxy.cfg file to include the SNI extension.
Example:
The following example shows a 3 Analytic node cluster with the modified configuration lines:
server VROPS_0 192.168.3.10:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
server VROPS_1 192.168.3.20:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
server VROPS_2 192.168.3.30:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
Important: Using the workaround steps will result in the changes being lost after a reboot of the Cloud Proxy, and the workaround steps will need to be reapplied.
Workaround:
To fix the issue, modify the haproxy.cfg file to include the SNI extension.
- Log into the Cloud Proxy as root via SSH or Console.
- Run the following command to open /etc/haproxy/haproxy.cfg in a text editor:
vi /etc/haproxy/haproxy.cfg
- Press i to enter insert mode.
- In the lines at the end of the file that start with server VROPS, modify them to include the SNI check:
Example Original Line: server VROPS_0 gateway_fqdn:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem sni str(11229.gw.staging.vrops-ops.com)
Example Modified Line: server VROPS_0 gateway_fqdn:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
Example Modified Line: server VROPS_0 gateway_fqdn:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
Example:
The following example shows a 3 Analytic node cluster with the modified configuration lines:
server VROPS_0 192.168.3.10:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
server VROPS_1 192.168.3.20:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
server VROPS_2 192.168.3.30:443 check resolvers resolvernameservers init-addr last,libc,none ssl verify required ca-file /storage/vcops/user/conf/ssl/haproxy.ca.pem check-sni 11229.gw.staging.vrops-ops.com sni str(11229.gw.staging.vrops-ops.com) check
- Run the following command to restart the haproxy , httpd-north, vmware-casa and collector services:
service haproxy restart; service httpd-north restart; service vmware-casa restart; service collector restart
Important: Using the workaround steps will result in the changes being lost after a reboot of the Cloud Proxy, and the workaround steps will need to be reapplied.
Additional Information
Impact/Risks:
Using the workaround steps will result in the changes being lost after a reboot of the Cloud Proxy.
A full resolution will be included with upcoming releases of VMware Aria Operations (SaaS) and VMware Aria Operations 8.14.x.
Using the workaround steps will result in the changes being lost after a reboot of the Cloud Proxy.
A full resolution will be included with upcoming releases of VMware Aria Operations (SaaS) and VMware Aria Operations 8.14.x.
Feedback
Yes
No
Powered by
