|Pivotal Cloud Foundry (PCF)||1.9, 1.10|
While attempting to upgrade to Pivotal Cloud Foundry (PCF) 1.10, Elastic Runtime update fails with the following error:
Started updating instance router > router/8ab15a9d-6be3-4cd5-aeac-075b68c040cb (0) (canary). Failed: 'router/0 (8ab15a9d-6be3-4cd5-aeac-075b68c040cb)' is not running after update. Review logs for failed jobs: gorouter (00:08:23) Error 400007: 'router/0 (8ab15a9d-6be3-4cd5-aeac-075b68c040cb)' is not running after update. Review logs for failed jobs: gorouter Task 3532 error
From the GoRouter error logs, following errors were also logged:
[2017-04-13 19:48:34+0000] /var/vcap/packages/gorouter/src/code.cloudfoundry.org/gorouter/main.go:59 +0x1b6b [2017-04-13 19:49:34+0000] panic: invalid cipher string configuration: TLS_RSA_WITH_AES_256_CBC_SHA, please choose from [TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]
In PCF 1.10, there is a limited set of cipher suites as you can see in this documentation. If the load balancer in the PCF environment being used is not configured with the listed cipher suites AND SSL is being terminated at both GoRouter and the load balancer or the GoRouter, PCF upgrade will fail with the above errors. Additionally, adding cipher suites to the Elastic Runtime Router (GoRouter) via Ops Manager UI is not supported. The GoRouter configuration does not pick up the additional new cipher suites.
Upgrade to Elastic Runtime 1.10.5 and add the additional cipher suites missing from the recommended list:
|PCF Version||TLS Version||Supported Cipher Suites|
Note: Please see related issue here.