Resetting or unlocking the local admin account using the li-reset-admin-passwd.sh command fails in environments using custom certificates.
Article ID: 400791
Updated On:
Products
Issue/Introduction
When using the li-reset-admin-passwd.sh command in an environment that uses custom certificates, the following error occurs.
FAILED: Unable to get user data. Possible cassandra is down.ERROR: Unable to get salt
Also, the output of the beow command is as shown.
# openssl x509 -noout -purpose -in /usr/lib/loginsight/application/etc/certs/cluster.pem | grep '^SSL \(server\|client\) :'SSL client : NoSSL server : Yes
Other symptoms
All other Log Insight internal and external certificates are in good condition, not corrupted, and not expired.
The gss2.txt file contains the following error:
Validity of certificate:Could not read certificate from /storage/core/loginsight/cidata/cassandra/config/cacert.pemUnable to load certificate
The runtime.log could contains the following error:
[DATES] ["netty-event-loop-103”/<IP addres ERROR] [play.core.server.netty.PlayRequestHandler] [Exception caught in Netty]
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
Environment
Aria Operations for Logs 8.18
Cause
When replacing the certificate to a custom one, the certificate in the truststore is also replaced at the same time.
* The certificate in the truststore is only used in troubleshooting purpose such as li-reset-admin-passwd.sh.
Resolution
This is a known issue. The fix will be available in a future release.
Workaround:
Replace truststore certificate with the default certificate.
sed -n '/-----BEGIN.*CERTIFICATE-----/,/-----END.*CERTIFICATE-----/p' /usr/lib/loginsight/application/etc/certs/default.pem > /storage/core/loginsight/cidata/cassandra/config/cacert.pemFeedback
