Error "x509: certificate signed by unknown authority" occurs when registering Controller to Pulse portal with Proxy
search cancel

Error "x509: certificate signed by unknown authority" occurs when registering Controller to Pulse portal with Proxy

book

Article ID: 401754

calendar_today

Updated On:

Products

VMware Avi Load Balancer

Issue/Introduction

  • When attempting to register an Avi Controller to the Pulse portal in an environment where a proxy server is configured, users may encounter an error message stating: "x509: certificate signed by unknown authority".

Environment

This issue is observed in Avi Controller deployments where:

  • The Controller is configured to use a proxy server under SystemConfiguration.
  • The proxy server performs TLS termination.
  • The Controller attempts to register with the Avi Pulse portal.

Cause

  • The "x509: certificate signed by unknown authority" error occurs because the Avi Controller expects to receive and validate the genuine TLS certificate of the Pulse portal server. However, due to the proxy server's TLS termination, the Controller instead receives the proxy server's certificate. 
  • Since the proxy server's certificate is typically self-signed or signed by an internal Certificate Authority (CA) not trusted by the Avi Controller by default, the Controller fails to validate it, leading to the "unknown authority" error.

Resolution

Step1: Check proxy configuration on Avi Controller

[admin:]: > show albservicesconfig

"proxy_configuration": {
    "host": "<proxyserver-fqdn>",
    "port": <proxyserver-port-number>
}

"split_proxy_configuration": {
                "host": "<proxyserver-fqdn>",
                "port": <proxyserver-port-number>
},
"use_split_proxy": true,

 

  • To resolve this issue, you can disable TLS certificate verification for Avi service configurations. This tells the Controller not to validate the certificate presented by the proxy, allowing the connection to proceed.

    Steps to Disable TLS Certificate Verification:
// SSH into your Avi Controller

admin@:~$ shell
Login: admin
Password:

[admin:]: > configure albservicesconfig
[admin:]: albservicesconfig> no use_tls
[admin:]: albservicesconfig> save
  • After performing these steps, attempt to register your Controller to the Pulse portal again. The "x509: certificate signed by unknown authority" error should no longer occur.

Additional Information

  • Disabling use_tls in albservicesconfig affects certificate verification for all Avi service-related outbound connections. While this resolves the specific Pulse portal registration issue with a terminating proxy, it means the Controller will not perform certificate validation for these connections.
  • This configuration change does not affect the TLS settings of Virtual Services facing clients.
  • For detailed information on configuring proxies or Pulse integration, refer to the official documentation.
Powered by Wolken Software