The SSL certificates that CloudPoint's internal services need to communicate with each other are generated with a one-year lifetime when CloudPoint is first installed. It should automatically renew those certificates before they expire, but the code to do that doesn't work (C3PM-15243, STESC-3171). When the certificates expire, CloudPoint ceases to work.
This issue exists in all versions of CloudPoint from 2.0 through 2.2.1.
1. The customer installed CloudPoint a year or more ago.
2. The customer may not be able to login to the CloudPoint console.
3. If the customer is already logged in to the CloudPoint console, the UI shows busy spinners continuously as it tries to update the summary information.
4. If the customer attempts to restart CloudPoint, it fails to start. “docker ps” shows several of the CloudPoint internal service containers continuously restarting.
5. The CloudPoint logs show RabbitMQ and MongoDB connection errors like the following:
AMQPConnectionError: Connection to 172.18.0.3:5671 failed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)
AutoReconnect: flexsnap-mongodb:27017: [Errno -2] Name or service not known
These error messages may vary, but the parts highlighted in red are the key indicators of this problem.
The SSL certificates that CloudPoint's internal services need expires a year after deployment.
Download the diagnostic script cp_list_certs.sh, copy it to the customer’s CloudPoint server, and give it 755 permissions.
Run cp_list_certs.sh with no command line arguments to get a list of the CloudPoint SSL certificates and their expiration dates.
Here is an example of the output for one certificate. The last field, “notAfter” is the expiration date of the certificate.
notBefore=Aug 6 00:31:43 2019 GMT
notAfter=Aug 5 00:31:43 2020 GMT
If any of the certificates are expired or will expire soon, then contact technical support for assistance renewing the certificates.
Was this content helpful?
Rating submitted. Please provide additional feedback (optional):