Health check shows an error for all the fleet appliances; gateway status(fail): Get "https://<IP>:9443/status": remote error: tls: unknown certificate authority
search cancel

Health check shows an error for all the fleet appliances; gateway status(fail): Get "https://<IP>:9443/status": remote error: tls: unknown certificate authority

book

Article ID: 406136

calendar_today

Updated On:

Products

VMware Cloud on AWS VMware HCX

Issue/Introduction

  • Running health check from HCX Manager "hc -d"  shows error for all the fleet appliances.

    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
                  Probe Health Checking               
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
    ...

    (ServiceMesh_<Appliance name>) : <IP>(9443)
      |-- icmp(success)
      |-- ssl connection(success)
      |-- ssl handshake(success)
      |-- gateway status(fail): Get "https://<IP>:9443/status": remote error: tls: unknown certificate authority
     |-- Appliance System Status: unknown
     |-- Peer Site Connectivity: down
     |-- WANOPT Status: down
      |-- WANOPT admin status      : unknown
      |-- WANOPT to IX connectivity: down
      |-- WANOPT e2e tunnel status : down
      |-- WANOPT mac               : unknown
      |-- WANOPT arptables entry   : unknown

    (ServiceMesh_<Appliance name>) : <IP>(9443)
      |-- icmp(success)
      |-- ssl connection(success)
      |-- ssl handshake(success)
      |-- gateway status(fail): Get "https://<IP>:9443/status": remote error: tls: unknown certificate authority
     |-- Appliance System Status: unknown
     |-- Peer Site Connectivity: down
     |-- WANOPT Status: down
      |-- WANOPT admin status      : unknown
      |-- WANOPT to IX connectivity: down
      |-- WANOPT e2e tunnel status : down
      |-- WANOPT mac               : unknown
      |-- WANOPT arptables entry   : unknown

  • No errors are seen about Service Mesh on UI.
  • IX/NE tunnels are all up from UI but report as down from HCX CCLI Health check. 

Environment

VMware HCX 4.11.0
VMware HCX 4.11.1
VMware HCX 9.0

Cause

Health check does not take in the correct appliance information from the CCLI configuration data structure. Instead, it assumes the old default TLS certificate and key file locations.
Thus it fails to retrieve status from the fleet appliances.

Resolution

This issue is resolved in VMware HCX 4.11.2 and later versions, available at Broadcom downloads.
If you are having difficulty finding and downloading software, please review the Download Broadcom products and software KB.

Additional Information

There is no harm other than health check.
Check the status of the service mesh on GUI.

Powered by Wolken Software