Pivotal Knowledge Base

Follow

GoRouter job fails during Pivotal Cloud Foundry 1.10 upgrade

Environment

 Product  Version
 Pivotal Cloud Foundry (PCF)  1.9, 1.10

Symptom

While attempting to upgrade to Pivotal Cloud Foundry (PCF) 1.10, Elastic Runtime update fails with the following error:

Started updating instance router > router/8ab15a9d-6be3-4cd5-aeac-075b68c040cb (0) (canary). Failed: 'router/0 (8ab15a9d-6be3-4cd5-aeac-075b68c040cb)' is not running after update. Review logs for failed jobs: gorouter (00:08:23)

Error 400007: 'router/0 (8ab15a9d-6be3-4cd5-aeac-075b68c040cb)' is not running after update. Review logs for failed jobs: gorouter

Task 3532 error

From the GoRouter error logs, following errors were also logged: 

[2017-04-13 19:48:34+0000] /var/vcap/packages/gorouter/src/code.cloudfoundry.org/gorouter/main.go:59 +0x1b6b 
[2017-04-13 19:49:34+0000] panic: invalid cipher string configuration: TLS_RSA_WITH_AES_256_CBC_SHA, please choose from [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384] 

Cause

In PCF 1.10, there is a limited set of cipher suites as you can see in this documentation. If the load balancer in the PCF environment being used is not configured with the listed cipher suites AND SSL is being terminated at both GoRouter and the load balancer or the GoRouter, PCF upgrade will fail with the above errors. Additionally, adding cipher suites to the Elastic Runtime Router (GoRouter) via Ops Manager UI is not supported. The GoRouter configuration does not pick up the additional new cipher suites.  

Resolution

Upgrade to Elastic Runtime 1.10.5 and add the additional cipher suites missing from the recommended list:

PCF Version TLS Version Supported Cipher Suites
1.10 1.2
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 

Note: Please see related issue here.

Comments

Powered by Zendesk