Pivotal Knowledge Base

Follow

Replication canary job fails when using a self-signed SSL certificate

Environment

  • Pivotal Cloud Foundry© 1.11 to 1.12
  • Elastic Runtime
  • CF-MySQL

Symptom

When deploying Elastic Runtime, you see the following error from the replication canary job:

 {"timestamp":"1503955776.123849869","source":"/var/vcap/packages/replication-canary/bin/replication-canary","message":"/var/vcap/packages/replication-canary/bin/replication-canary.uaa-client.fetch-token-from-uaa-start","log_level":1,"data":{"endpoint":{"Scheme":"https","Opaque":"","User":null,"Host":"uaa.run.[host]","Path":"/oauth/token","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":""},"session":"3"}}

{"timestamp":"1503955776.155642509","source":"/var/vcap/packages/replication-canary/bin/replication-canary","message":"/var/vcap/packages/replication-canary/bin/replication-canary.uaa-client.error-fetching-token","log_level":2,"data":{"error":"Post https://uaa.run.[host]/oauth/token: x509: certificate signed by unknown authority","session":"2"}}

Resolution

Elastic Runtime components enforce strict SSL verification in PCF 1.11 and 1.12. Using a self-signed certificate can lead to the error above.

If you are not using SSL encryption or if you are using self-signed certificates, you can disable SSL verification in the Elastic Runtime tile configuration. From the Networking section, select Disable SSL certificate verification for this environment. Selecting this check box also disables SSL verification for route services.

2017-08-31_1020.png

For production deployments, Pivotal does not recommend disabling SSL certificate verification.

See the following topics for information about configuring SSL certificates in your Elastic Runtime deployment:

 

Comments

Powered by Zendesk