This troubleshooting guide provides a detailed process to diagnose and resolve SSL/TLS handshake failures due to certificate errors on OpsRamp NextGen Gateways. The steps will help you identify the cause of the disconnect, obtain the necessary certificates, and install them on the gateway to restore secure communication.
Tunnel Disconnect with Certificate Errors in NextGen Gateway
Follow the below steps tp resolve the Tunnel Disconnect Issues Due to Certificate Errors in NextGen Gateway:
Step 1: Save Certificates to /root/custom-certs
- Create a Folder:
mkdir -p /root/custom-certs - Navigate to the Folder:
cd /root/custom-certs - Save Certificates:
- Save all the certificates in this folder with a
.crtextension - Make sure that you save the certificates on all nodes.
- Save all the certificates in this folder with a
Step 2: Import CA Certificates into the OS (Ubuntu)
- Copy Certificates:
sudo cp /root/custom-certs/*.crt /usr/local/share/ - Update Certificates:
sudo update-ca-certificates
Note: Repeat this process on all nodes.
Step 3: Import CA Certificates into NextGen Gateway
- Create a ConfigMap:
cd /root/ kubectl create configmap custom-certs --from-file=custom-certs -n <namespace> - Update the Helm Chart:
- If the gateway is already registered, pull and update the Helm chart
helm pull oci://us-docker.pkg.dev/opsramp-registry/gateway-cluster-charts/nextgen-gw --version 1.6.0 helm upgrade nextgen-gw nextgen-gw-1.6.0.tgz -n <namespace> - Note: The –version 1.6.0 and nextgen-gw-1.6.0.tgz should match your specific gateway release.
- If the gateway is already registered, pull and update the Helm chart
- Register the Gateway (if not registered):
Follow the registration document if the gateway is not already registered.
Step 4: Update Existing Certificates
- Delete the Existing ConfigMap:
kubectl delete configmap custom-certs -n <namespace> - Re-import the Certificates:
Follow Step 3 and the steps under “Import CA Certificates into the OS (Ubuntu)”.