Pivotal Cloud Foundry: 1.10
Spring Cloud Services: 1.4
Running deploy service broker errand in Spring Cloud Services tiles results in the following error:
uaac target https://uaa.system.domain failed to access https://uaa.system.domain: Invalid SSL Cert for https://uaa.system.domain/login.
Use '--skip-ssl-validation' to continue with an insecure target deploy-service-broker failed: exit status 1
This issue will occur when an Operator installs a privately signed certificate in their Load Balancer or HaProxy instance. The operator has also installed the Root Certificate Authority Chain into the "Trusted Certificates" field of the Director tile. Spring Cloud Services 1.4 uses UAAC during the broker deployment, and UAAC is not able to find the Private Certificate Authority and therefore can not trust the SSL certificate.
UAAC version 3.8 moved from "net/http" to "httpclient" which sources "$RUBY_INSTALL_PATH/gems/2.3.0/gems/httpclient-2.7.1/lib/httpclient/cacert.pem" certificate store and fails to find the OS installed certificates. Prior versions of UAAC do not have this problem. Httpclient will attempt to find the OS installed certification store using the following path which does not exist in the Ubuntutu stemcell
:~$ ruby -e "require 'openssl'; puts OpenSSL::X509::DEFAULT_CERT_FILE" /usr/lib/ssl/cert.pem
A future release of UAAC will have a fix for this issue. Spring Cloud Services downgraded UAAC version to 3.4.0 in SCS version 1.4.1. Upgrading to version 1.4.1 of SCS will allow the upgrade to succeed.
Disable SSL cert verification for the entire environment
Go to Elastic Runtime Tile -> Networking and check the box for "Disable SSL certificate verification for this environment."
Disable SSL cert verification only for SCS tile
- Modify the Spring Cloud services manifest in "/var/tempest/workspaces/default/deployments/p-spring-cloud-services-<hash>.yml" and set all occurrences of skip_cert_verify to true
- Make sure to set the Bosh deployment to the modified SCS manifest
bosh deployment /var/tempest/workspaces/default/deployments/p-spring-cloud-services-<hash>.yml
- Run the deployment
- Run the deploy broker errand
bosh run errand deploy-service-broker
- From Operations Manager Web interface, disable the "deploy-service-broker" errand in the SCS tile. If the errand is executed from Operations Manager, it will revert the changes and fail to run
This issue has been fixed with SCS 1.4.1.
If you are experiencing a similar issue with just the UAAC CLI, you can work around using one of the following options and still have SSL verification enabled
- Create a soft link of the cert.pem to the actual OS installed certs file
sudo ln -s /etc/ssl/certs/ca-certificates.crt /usr/lib/ssl/cert.pem
- Set environment variable SSL_CERT_FILE to the path of the OS installed certs
- Use the --ca-cert option in the UAAC CLI
uaac target --ca-cert /etc/ssl/certs/ca-certificates.crt https://uaa.system.domain