Pivotal Knowledge Base

Follow

Deploying Spring Cloud Services Broker fails with UAAC target error

Environment

Pivotal Cloud Foundry: 1.10

Spring Cloud Services: 1.4

Symptom

Running deploy service broker errand in Spring Cloud Services tiles results in the following error:

uaac target https://uaa.system.domain 
failed to access https://uaa.system.domain: Invalid SSL Cert for https://uaa.system.domain/login. 
Use '--skip-ssl-validation' to continue with an insecure target deploy-service-broker failed: exit status 1

Cause

This issue will occur when an Operator installs a privately signed certificate in their Load Balancer or HaProxy instance. The operator has also installed the Root Certificate Authority Chain into the "Trusted Certificates" field of the Director tile. Spring Cloud Services 1.4 uses UAAC during the broker deployment, and UAAC is not able to find the Private Certificate Authority and therefore can not trust the SSL certificate.

UAAC version 3.8 moved from "net/http" to "httpclient" which sources "$RUBY_INSTALL_PATH/gems/2.3.0/gems/httpclient-2.7.1/lib/httpclient/cacert.pem" certificate store and fails to find the OS installed certificates. Prior versions of UAAC do not have this problem. Httpclient will attempt to find the OS installed certification store using the following path which does not exist in the Ubuntutu stemcell

:~$ ruby -e "require 'openssl'; puts OpenSSL::X509::DEFAULT_CERT_FILE"
/usr/lib/ssl/cert.pem

Resolution

A future release of UAAC will have a fix for this issue. Spring Cloud Services downgraded UAAC version to 3.4.0 in SCS version 1.4.1. Upgrading to version 1.4.1 of SCS will allow the upgrade to succeed. 

Workaround 1

Disable SSL cert verification for the entire environment

Go to Elastic Runtime Tile -> Networking and check the box for "Disable SSL certificate verification for this environment."

Workaround 2 

Disable SSL cert verification only for SCS tile

  1. Modify the Spring Cloud services manifest in "/var/tempest/workspaces/default/deployments/p-spring-cloud-services-<hash>.yml" and set all occurrences of skip_cert_verify to true
    skip_cert_verify: true
  2. Make sure to set the Bosh deployment to the modified SCS manifest
    bosh deployment /var/tempest/workspaces/default/deployments/p-spring-cloud-services-<hash>.yml
  3. Run the deployment
    bosh deploy
  4. Run the deploy broker errand
    bosh run errand deploy-service-broker
  5. From Operations Manager Web interface, disable the "deploy-service-broker" errand in the SCS tile. If the errand is executed from Operations Manager, it will revert the changes and fail to run 

This issue has been fixed with SCS 1.4.1.

Additional Information

If you are experiencing a similar issue with just the UAAC CLI, you can work around using one of the following options and still have SSL verification enabled

  • Create a soft link of the cert.pem to the actual OS installed certs file
    sudo ln -s /etc/ssl/certs/ca-certificates.crt /usr/lib/ssl/cert.pem
  • Set environment variable SSL_CERT_FILE to the path of the OS installed certs
    export SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
  • Use the --ca-cert option in the UAAC CLI
    uaac target --ca-cert /etc/ssl/certs/ca-certificates.crt https://uaa.system.domain

 

 

Comments

Powered by Zendesk