• When creating a Secure Channel certificate using Algorithm: EC and Key Size: SECP384R1 and applying it to a single AVI Controller node, the certificate update completes successfully.
• The certificate details (algorithm and key size) can be verified under: Templates > Security > SSL/TLS Certificates

• The applied Secure Channel certificate to controller can be verified under: Administration > System Settings > Access > Secure Channel SSL/TLS Certificate

• When adding a follower node to create a three-node controller cluster under Administration > Controller > Nodes, the cluster formation fails with the following error displayed in the AVI Controller GUI.

  Cluster configuration failed. Unable to add node <Node-Name>: Node failed to establish trust with Leader. Clean reboot node(s) and ensure network connectivity is good for SSH and HTTPs (port 8443) from the node

VMware Avi Load Balancer

• 22.1.x
• 30.1.x
• 30.2.x
• 31.1.x

• Envoy version v1.26.6, used in AVI Controller versions prior to 31.2.1, supports only ECDSA P-256 certificates.
• On the leader controller, Envoy fails to reload the Secure Channel certificate with the error “only P-256 ECDSA certificates are supported”, as the certificate is using an unsupported algorithm EC (SECP384R1 / ECDSA P-384).
  • Log path on the leader controller: /var/log/envoy/envoy_system.log

• During cluster formation, the follower controller fails to establish Secure Channel communication with the leader due to a TLS handshake failure (“Ssl handshake failed”).
  • Log path on the follower controller: /var/lib/avi/log/portal-webapp.log

• •  Log path on the follower controller: /var/log/upstart/aviportal.log                    

Workaround

• Use a Secure Channel certificate with a supported algorithm such as EC (SECP256R1) or RSA, then retry cluster formation.

Resolution

• This issue is fixed in:
• • AVI Controller 31.2.x Release Notes
• These versions include Envoy v1.33.2, which supports EC (SECP384R1) and EC (SECP521R1) certificates.