CloudPoint SSL Certificates Expire After One Year

CloudPoint SSL Certificates Expire After One Year

Article: 100045729
Last Published: 2019-06-12
Ratings: 1 0
Product(s): CloudPoint

Problem

The SSL certificates that CloudPoint's internal services need to communicate with each other are generated with a one-year lifetime when CloudPoint is first installed. It should automatically renew those certificates before they expire, but the code to do that doesn't work (C3PM-15243, STESC-3171). When the certificates expire, CloudPoint ceases to work.

This issue exists in all versions of CloudPoint from 2.0 through 2.2.1.

Error Message

1.       The customer installed CloudPoint a year or more ago.

2.       The customer may not be able to login to the CloudPoint console.

3.       If the customer is already logged in to the CloudPoint console, the UI shows busy spinners continuously as it tries to update the summary information.

4.       If the customer attempts to restart CloudPoint, it fails to start. “docker ps” shows several of the CloudPoint internal service containers continuously restarting.

5.       The CloudPoint logs show RabbitMQ and MongoDB connection errors like the following:

  • AMQPConnectionError: Connection to 172.18.0.3:5671 failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
  • AutoReconnect: flexsnap-mongodb:27017: [Errno -2] Name or service not known

These error messages may vary, but the parts highlighted in red are the key indicators of this problem.

Cause

The SSL certificates that CloudPoint's internal services need expires a year after deployment.

Solution

Download the diagnostic script cp_list_certs.sh, copy it to the customer’s CloudPoint server, and give it 755 permissions.

Run cp_list_certs.sh with no command line arguments to get a list of the CloudPoint SSL certificates and their expiration dates.
# ./cp_list_certs.sh

Here is an example of the output for one certificate. The last field, “notAfter” is the expiration date of the certificate.

coordinator.0.cert.pem

subject= /CN=coordinator.0/O=coordinator

notBefore=Aug 6 00:31:43 2019 GMT

notAfter=Aug 5 00:31:43 2020 GMT

 

If any of the certificates are expired or will expire soon, then contact technical support for assistance renewing the certificates.

References

JIRA : STESC-3171

Was this content helpful?