Pivotal Knowledge Base


Does your Pivotal Cloud Foundry® install exit during creates/updates/deletes of an app or with a 403?

Scenario 1:

If your Pivotal Cloud Foundry® (PCF) installation exits with a ' 403 => Net::HTTPForbidden', when trying to login to the console check that you have generated the RSA certificate correctly in the HA proxy configuration. This error generally occurs due to the Certificate authentication failure.


{"type": "step_finished", "id": "console.deploy"}

/home/tempest-web/tempest/web/vendor/bundle/ruby/1.9.1/gems/mechanize-2.7.2/lib/mechanize/http/agent.rb:306:in `fetch': 403 => Net::HTTPForbidden for https://login.api.x.y/oauth/authorizeresponse_type=code&client_id=portal&redirect_uri=https%3... -- unhandled response (Mechanize::ResponseCodeError)

Scenario 2:

If your PCF installation exits with a ' creates/updates/deletes an app (FAILED - 1)' error message with the following stack trace:



  1) App CRUD creates/updates/deletes an app
     Failure/Error: Unable to find matching line from backtrace
       Connection refused - connect(2)
If you get any of the above errors, please make sure that you have the wildcard character before each domain separated by a comma as shown in the image below. 

Enter your system and app domains in wildcard format, as well as optionally any custom domains, and click Save. Refer to Elastic Runtime > Cloud Controller for explanations of these domain values.




Also, as seen in step 10 of the PCF getting started guide, http://docs.gopivotal.com/pivotalcf/getstarted/gsg_pivotalcf.html users must point their domain to resolve to the HA proxy IP unless you are using you own load balancer and verify it as follows:


usxxvejalsm1:~ keelab$ nslookup gopaas.eu




Non-authoritative answer:

Name: gopaas.eu


In this example, is the HA proxy IP and ' gopaas.eu ' is the system and app domain. 


Powered by Zendesk