Pivotal Knowledge Base

Follow

Elastic Runtime S3 blobstore configuration error: 'Unable to verify certificate'

Environment

Pivotal Cloud Foundry: 1.9, 1.10, 1.11

Symptom

When attempting to add an S3 Compatible blobstore to Ops Manager > Elastic Runtime > File Storage, saving the page or applying settings results in a failure of "Unable to verify certificate."

Error Message:

Errors::CertificateError SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) Unable to verify certificate 

Cause 

When you press the Save button or when you Apply Changes, Ops Manager attempts to validate the settings entered to ensure that they are correct. To validate the File Storage settings, Ops Manager will attempt to connect to the specified S3 compatible blobstore. Because the blobstore is not presenting a trusted certificate, Ops Manager is unable to make the connection and fails with the above error.

Resolution

Firstly, confirm if you are using a self-signed when configuring S3. When using a Self-Signed CA you need to add a custom certificate to the Ops Manager VM's trust store. After that, Ops Manager will be able to successfully validate the external S3 blobstore configuration. 

 

Here are the steps to accomplish this.

 

  1. SSH to Ops Manager VM. Run`ssh ubuntu@opsmanagerFQDN`.

  2. Ru `sudo -i`. You'll be prompted again for the `ubuntu` user's password.

  3. Change directories with `cd /usr/local/share/ca-certificates/`

  4. Create a file in the current directory with the name s3-custom.crt and paste in the contents of the custom certificate (including the complete BEGIN & END CERTIFICATE lines).

    Ex:

    cat <<EOF > s3-custom.crt
    <cursor will sit here -> paste in your cert & press ctrl+d to end input>
  5. Run `update-ca-certificates`. This will update the VM's list of trusted certificates.
  6. You should see a message that certificate was added, like this.

    root@bosh-stemcell:/usr/local/share/ca-certificates# update-ca-certificates
    Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done.
    Running hooks in /etc/ca-certificates/update.d....
    Adding debian:cert.pem
    done.
    done.
  7. Repeat this attempt to save the configuration or Apply Changes. Ops Manager should now be able to validate your custom certificate.

 

Comments

Powered by Zendesk