CloudStack 4.11.1 Agent SSL Errors

[falcon78921]

ISSUE TYPE

• Bug Report

COMPONENT NAME

Apache CloudStack 4.11.1 Agent

CLOUDSTACK VERSION

Apache CloudStack 4.11.1

CONFIGURATION

Advanced Zone

OS / ENVIRONMENT

Ubuntu 16.04.5 LTS

SUMMARY

On a clean installation of Apache CloudStack 4.11.1, cloudstack-setup-agent doesn't generate the needed SSL information (e.g. cloud.jks) in /etc/cloudstack/agent. Similar to what Rohit says in: http://mail-archives.apache.org/mod_mbox/cloudstack-users/201803.mbox/%3CAM4PR07MB349069E1BA5FBD73FD97B1CCE9D00@AM4PR07MB3490.eurprd07.prod.outlook.com%3E

STEPS TO REPRODUCE

Running cloudstack-setup-agent on a fresh installation of cloudstack-agent.

EXPECTED RESULTS

The host should generate SSL information in order to communicate with management server. When adding hosts via CloudStack management, oddly enough, the hosts register. In some cases, CloudStack management also duplicates the host. I just remove the additional host record.

ACTUAL RESULTS

Instead, these errors occur:

2018-11-29 09:24:41,003 INFO  [utils.exception.CSExceptionErrorCode] (main:null) (logid:) Could not find exception: com.cloud.utils.exception.NioConnectionException in error code list for exceptions
2018-11-29 09:24:41,004 WARN  [cloud.agent.Agent] (main:null) (logid:) NIO Connection Exception  com.cloud.utils.exception.NioConnectionException: SSL Handshake failed while connecting to host: 10.10.13.180 port: 8250
2018-11-29 09:24:41,004 INFO  [cloud.agent.Agent] (main:null) (logid:) Attempted to connect to the server, but received an unexpected exception, trying again...
2018-11-29 09:24:46,004 INFO  [cloud.agent.Agent] (main:null) (logid:) Connecting to host:10.10.13.180
2018-11-29 09:24:46,005 INFO  [utils.nio.NioClient] (main:null) (logid:) Connecting to 10.10.13.180:8250
2018-11-29 09:24:46,007 INFO  [utils.nio.Link] (main:null) (logid:) Conf file found: /etc/cloudstack/agent/agent.properties
2018-11-29 09:24:46,009 WARN  [utils.nio.Link] (main:null) (logid:) Failed to load keystore, using trust all manager
2018-11-29 09:24:46,096 ERROR [utils.nio.Link] (main:null) (logid:) SSL error caught during unwrap data: Received fatal alert: bad_certificate, for local address=/10.10.15.26:49420, remote address=/10.10.13.180:8250. The client may have invalid ca-certificates.
2018-11-29 09:24:46,096 ERROR [utils.nio.NioClient] (main:null) (logid:) SSL Handshake failed while connecting to host: 10.10.13.180 port: 8250
2018-11-29 09:24:46,096 ERROR [utils.nio.NioConnection] (main:null) (logid:) Unable to initialize the threads.
java.io.IOException: SSL Handshake failed while connecting to host: 10.10.13.180 port: 8250
	at com.cloud.utils.nio.NioClient.init(NioClient.java:67)
	at com.cloud.utils.nio.NioConnection.start(NioConnection.java:95)
	at com.cloud.agent.Agent.start(Agent.java:294)
	at com.cloud.agent.AgentShell.launchNewAgent(AgentShell.java:455)
	at com.cloud.agent.AgentShell.launchAgentFromClassInfo(AgentShell.java:422)
	at com.cloud.agent.AgentShell.launchAgent(AgentShell.java:406)
	at com.cloud.agent.AgentShell.start(AgentShell.java:512)
	at com.cloud.agent.AgentShell.main(AgentShell.java:547)

WORKAROUND

Setup SSH on remote host. Add host via CloudStack UI. Don't use cloudstack-setup-agent directly.

[falcon78921]

I ran the cloudstack-setup-agent command as sudo too.

[rohityadavcloud]

@falcon78921 this is a known limitation. The certificates needs to be provisioned from the management server, if you want to add the KVM hosts manually. You may set the auth strictness to false in mgmt server (no need to restart mgmt server), then add the KVM host and set the auth strictness back to true, go to the host page and click the button to secure the host (or use provisionCertificate API). Its' documented in the admin docs under host/security. Kindly test and then close the ticket.