• When using Tanzu Hub on version 10.4, specifically when configured to use a proxy, you encounter errors when sending the Tanzu Net Refresh Token to view the Foundation -> Manage -> Capabilities from the Hub UI.
• The error returned indicates: "An unexpected error occurred during credential validation: failure when writing TLS control frames"
  
  
  
  
• Logging from the graphql-rest-provider-service pods indicate the same error message and present further details on the messaging returned from the proxy server:
  
  

  16:47:04.236Z [thread='reactor-http-epoll-2' user='6c4b3dfa' org='########-####-####-####-e47be4eea9c3' trace='69ef93083b836892e6b3782f4122e125'] ERROR com.vmware.ensemble.rest.warehouse.provider.tanzunet.TanzuNetProductDownloadProvider - Unexpected error during credential validation: An unexpected error occurred during credential validation: failure when writing TLS control frames

  16:47:04.239Z [thread='reactor-http-epoll-2' user='6c4b3dfa' org='########-####-####-####-e47be4eea9c3' trace='69ef93083b836892e6b3782f4122e125'] WARN reactor.netty.http.client.HttpClientConnect - [73b39173, L:/<POD_IP_ADDRESS>:59374 - R:<PROXY_FQDN>/<>PROXY_IP_ADDRESS>:<PROXY_PORT>] The connection observed an error

  javax.net.ssl.SSLException: failure when writing TLS control frames
  
  

• Below the initial error, the cause will be presented:
  
  Caused by: io.netty.handler.proxy.ProxyConnectException: http, none, <PROXY_FQDN>/<>PROXY_IP_ADDRESS>:<PROXY_PORT> => network.tanzu.vmware.com/<unresolved>:443, io.netty.channel.unix.Errors$NativeIoException: recvAddress(..) failed with error(-104): Connection reset by peer
  
  
  
• To view the graphql-rest-provider-service pod logs, use the following steps:

  1. SSH into the registry VM in the Tanzu Hub deployment (the VM preconfigured with kubectl and permissions).

  2. View logs after reproducing the Token validation:
     
     # kubectl logs -n tanzusm -l app=graphql-rest-provider-service --tail=-1 | less

  3. Token validation specific messages can be searched for by grepping: TanzuNetProductDownloadProvider

First release of Tanzu Hub 10.4, with Proxy configured

This error occurs when the HTTP proxy as well as the HTTPS proxy have been configured in the Tanzu Hub tile. In initial versions of the Tanzu Hub 10.4 release, when an HTTPS proxy is configured, the internal SSL Handler is used and is considered as the https proxy server. This leads to a failure in the internal application components to exchange SSL handshake via the proxy. 

This will be resolved in the first patch release of Tanzu Hub 10.4

Workaround:

• Leave the HTTPS proxy value blank in the Tanzu Hub -> Proxy Settings tab.
• Instead, ONLY fill out the HTTP proxy value.
• Apply Changes from Opsman UI after modifying and saving the Proxy Settings in Tanzu Hub tile.

This will bypass the internal SSL Handler and allow the HTTP proxy to be used for external communications.